if you are working on an ecommerece website what security measures would you take to keep the part and order data secure?
thanx.
a question on security....
Moderator: General Moderators
First of all I would make sure I had my own dedicated server, hosting any kind of financial information on a shared server is a disaster waiting to happen as a lot of shared hosts allow customers to play with each other's files given the right exploits.
As for the application, If I was saving any kind of credit cart information I would use encryption on the DB. I would force all interactions on the server to go through a secure socket layer (SSL), and I would force users to set up accounts, with verified email addresses and require phone numbers for added security.. Now protecting yourself from carders is a different story, find a merchant that takes care of this for you and does not do chargebacks, or read up on the different algorithms that can be used to validate credit card numbers (they will only tell you if the card is not valid, or possibly valid, but this saves you from sending some invalid numbers to your merchant acct's API),
Also all of this is assuming your server itself is secure, running the latest most secure version of all it's software, etc..
As for the application, If I was saving any kind of credit cart information I would use encryption on the DB. I would force all interactions on the server to go through a secure socket layer (SSL), and I would force users to set up accounts, with verified email addresses and require phone numbers for added security.. Now protecting yourself from carders is a different story, find a merchant that takes care of this for you and does not do chargebacks, or read up on the different algorithms that can be used to validate credit card numbers (they will only tell you if the card is not valid, or possibly valid, but this saves you from sending some invalid numbers to your merchant acct's API),
Also all of this is assuming your server itself is secure, running the latest most secure version of all it's software, etc..
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Are you talking about hasing or encryption? There is a very big difference: think of hasing as a unique fingerprint of the original value (supposed to be unreversible), while encryption if the obscuration of information (can be reversed). For hasing, I would use no less than our very own feyd's implementation of SHA256 hasing properly used with a salt, although you may want to refer to onion2k's post here about encryption.can you please mention encryption method or algorithom that you will use.
So lets say you want to store a user's password, there is no need for the database to store a reversable password. In a worst case scenario let's say a hacker gained access to your user db, with all passwords encrypted the user could run de-encryption methods on them. But lets say the hacker ran into a bunch of hashes, he has no way of getting the password, especially using SHA256.
For things such as credit card information, you would use encryption (make sure you read up on encryption methods), before at some point you need to retrieve such details.
Just so you know, I've worked significantly with some companies developing credit card gateways. Such applications have to meet certain standards and security tests when being integrated with banks and such, but they spent very little attention on the code, and much much much more on the security of the physical server.
To me it sounds like your not very experienced in this field, and from your last comment I suspect new to programming. In that case, I would suggest you to NOT tackle an e-commerce project, especially if you are not well versed in security practices.The next question is : how you can keep track of what has been done, and what is still left to do ?
And to answer your last question: It is much too broad to answer, please rephrase it.