I've been doing some research into the security of my site, as part of the data being collected is financial information such as credit cards, as well as address information and general site usage patterns.
I started out looking at SSL for my forms and cookies so that they would be relatively safe from tampering and packet sniffers. I was interested in packet sniffers though so I researched that some more, only to realise that if a hacker was in a position to sniff out passwords from my sites forms, they could just as easily be sniffing out the data as it is fed out of the database. This information would appear to include the username and password for the database itself.
Can anyone tell me what the preferred way to deal with this is? Should I just encrypt the really sensitive information such as the credit card info before I add it to the database, so that at best all they could get would be the encrypted version.
Any opinions / solutions welcome. I think I'm getting paranoid.