netstep Posted April 5, 2006 Share Posted April 5, 2006 What are the security risks/fixes for storing credit card numbers in mySQL DB? I just installed Authorize.net AIM in SSL secured store. http://www.oscommerce.com/community/contributions,4091 The payment module works super smooth, but it stores CC# in the database unencrypted. In general this freaks me out because I don't know what the osC hack risks are. I don't want to be at risk or put my customers at risk of some nasty personal data loss lawsuit. I asked my hosting company about the risks. They responded: The MySQL database is setup in a secure manner. The more likely point of attack would be your oscommerce installation, so please make sure to keep it up to date. and The database is fairly secure. However, I would suggest encrypting the numbers if possible. An exploit of your php scripts would probably give the attacker access to the database and numbers since the script would need the login information to use authorize.net. Does anyone know how to scramble the CC# for Authorize.net so they look like 4001********2345? I posted this question in the 4091 support forum, but I think it is more general to OSC as a whole. http://www.oscommerce.com/forums/index.php?sho...=199381&st=102# Quote Sam M. - Seattle Link to comment Share on other sites More sharing options...
netstep Posted April 11, 2006 Author Share Posted April 11, 2006 I set up a manual CC# mask function. CC# now xxxxxxxxxxxx2222. I modified this contribution to suit my needs. Mine is v1.2 http://www.oscommerce.com/community/contributions,2509 Quote Sam M. - Seattle Link to comment Share on other sites More sharing options...
netstep Posted April 13, 2006 Author Share Posted April 13, 2006 I just added an automatic mask tool in Contribution 2509. It sends masked numbers to store owner via email. Quote Sam M. - Seattle Link to comment Share on other sites More sharing options...
dynamoeffects Posted April 13, 2006 Share Posted April 13, 2006 Read up on CISP and PCI regulations: If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident. Quote Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail. Link to comment Share on other sites More sharing options...
SteveODNet Posted April 13, 2006 Share Posted April 13, 2006 Credit card companies have very strict security requirements for online merchants regarding data storage security. Last year in the US, there was talk of extending data security laws that financial institutions are bound by to include merchants who accept credit cards as well, but I don't know if the extension was ever passed. If you are using OSC, there is an extremely good chance that you are not equipped to meet credit card industry data storage requirements. If you are caught storing numbers, at the very least you'll probably lose your merchant account. Quote Link to comment Share on other sites More sharing options...
Sid04 Posted April 13, 2006 Share Posted April 13, 2006 with all the different payment modules, etc, how does a person even know if the CC# is stored in the dB? Is there a common spot for it? I know mine show up on my invoices, with middle #'s masked, but im assuming the numbers are not stored in the dB. Any simple ways of checking? Quote Link to comment Share on other sites More sharing options...
netstep Posted April 14, 2006 Author Share Posted April 14, 2006 Any simple ways of checking?You should be able to run a test transactions. Whatever is in the DB will be displayed in the Order Details. Your payment module should explain how to run a test transactions. Quote Sam M. - Seattle Link to comment Share on other sites More sharing options...
Sid04 Posted April 14, 2006 Share Posted April 14, 2006 I looked through the database alittle and found the CC#'s. Looks like they are already masked. Quote Link to comment Share on other sites More sharing options...
curt0 Posted April 28, 2007 Share Posted April 28, 2007 (edited) Credit card companies have very strict security requirements for online merchants regarding data storage security. Last year in the US, there was talk of extending data security laws that financial institutions are bound by to include merchants who accept credit cards as well, but I don't know if the extension was ever passed. If you are using OSC, there is an extremely good chance that you are not equipped to meet credit card industry data storage requirements. If you are caught storing numbers, at the very least you'll probably lose your merchant account. A friend told me that if my website stores CC numbers and if a hacker stole those numbers, I may be liable to lawsuits of hundreds of thousands of dollars. Is this correct? If so, how do we set up my osCommerce site so that the CC is not stored in the DB? My friend told me to do a "Vulnerability Test", which tests to see how easy it is to steal the CC numbers. This test costs $2-3K. Does anybody have experience with this and if it is necessary? I'm building this e-commerce store for a client. Do I need a legal agreement with my client to indemnify myself from hackers that screw up the website, fraud, steal products, etc.? Edited April 28, 2007 by curt0 Quote Link to comment Share on other sites More sharing options...
Guest Posted April 28, 2007 Share Posted April 28, 2007 A friend told me that if my website stores CC numbers and if a hacker stole those numbers, I may be liable to lawsuits of hundreds of thousands of dollars. Is this correct? If so, how do we set up my osCommerce site so that the CC is not stored in the DB? My friend told me to do a "Vulnerability Test", which tests to see how easy it is to steal the CC numbers. This test costs $2-3K. Does anybody have experience with this and if it is necessary? I'm building this e-commerce store for a client. Do I need a legal agreement with my client to indemnify myself from hackers that screw up the website, fraud, steal products, etc.? I would never ever store CC numbers in my db, nor would I accept responsibility in the future for what may or may not happen. You can only act on what is known at the time, or can reasonably expect to happen in the future. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.