信用卡信息,必须采取哪些安全措施?
[英]Credit Card Information, what security precautions must be taken?
问题描述
We don't store any credit card information. 
我们不存储任何信用卡信息。 It is gathered via an HTML form, then processed by a PHP script which uses the API from Intuit to charge the credit card. 它通过HTML表单收集,然后由PHP脚本处理,该脚本使用Intuit的API为信用卡收费。 After calling the API to charge the card, all credit card information is disposed of. 在致电API以对卡充电后,所有信用卡信息都将被处理掉。
Here are my questions regarding the security of the credit card information: 以下是关于信用卡信息安全性的问题:
- I assume SSL is a must. 我认为SSL是必须的。 Is this correct? 它是否正确?
- Should I switch from shared hosting to a dedicated server? 我应该从共享主机切换到专用服务器吗?
- I assume there is no encryption that isn't easily un-reversible that can take place between the HTML form and the PHP script, does any encryption need to be used for what I'm trying to do? 我假设在HTML表单和PHP脚本之间不存在不容易不可逆的加密,是否需要对我正在尝试做的事情进行加密?
If there is anything else you can think please share it. 如果您还有其他想法,请分享。 Thanks for your time everyone. 感谢大家的时间。
4 个解决方案
解决方案1
4 已采纳 2013-02-22 19:18:17
I assume SSL is a must.
Yes, correct. 是,对的。
Should I switch from shared hosting to a dedicated server?
A VPS at minimum is a very good idea. VPS至少是一个非常好的主意。 You can probably not be PCI compliant successfully on a shared host, you just don't have enough control to lock your server down as required by PCI. 您可能无法在共享主机上成功实现PCI兼容,您根本没有足够的控制权来按照PCI的要求锁定服务器。
I assume there is no encryption that isn't easily un-reversible that can take place between the HTML form and the PHP script, does any encryption need to be used for what I'm trying to do?
Your API should take care of that. 您的API应该处理这个问题。 Be sure the API is over an SSL/Secure connection as well. 确保API也通过SSL / Secure连接。
Please read up on PCI requirements. 请仔细阅读PCI要求。 You are transmitting cardholder data so you DO NEED TO BE PCI COMPLIANT. 您正在传输持卡人数据,因此您需要符合PCI条件。 You will be at the "lowest level" of compliance (I think it's C or D). 您将处于合规的“最低级别”(我认为它是C或D)。 You will need to run quarterly scans on your server IP to prove compliance as well. 您需要在服务器IP上运行季度扫描以证明合规性。 As an FYI, I use McAffee Secure for this. 作为一个FYI,我使用McAffee Secure。
The only way you won't be subject to PCI rules is if the cardholder's data is entered on somebody else's server (think: paypal). 如果持卡人的数据是在其他人的服务器上输入的,那么您不会受PCI规则约束的唯一方法就是(想想:paypal)。 Whenever you pay by paypal, you are transferred to PayPal's server, then transferred back. 每当您通过PayPal付款时,您将被转移到PayPal的服务器,然后转回。 In that scheme, you would not need to be compliant. 在该计划中,您不需要合规。
Now a lot of the PCI requirements talk about some stuff that don't apply in the questionaire (ie is your server stored in a safe place, how physically secure is your building, etc....) - the good news is that your server/hosting company should handle that. 现在很多PCI要求谈论一些不适用于问卷的东西(即你的服务器存放在一个安全的地方,你的建筑物的物理安全性等等) - 好消息是你的服务器/托管公司应该处理。
After your network scan, it'll come up with a list of things that make you non-compliant. 在您进行网络扫描之后,它会列出一些使您不符合要求的内容。 They are almost always server related issues. 它们几乎总是服务器相关的问题。 You can either fix them yourself, or ask your host to help you - most hosts will do it if you send them the list. 您可以自己修复它们,也可以让主机帮助您 - 如果您将列表发送给它们,大多数主机都会这样做。 You will NOT be able to fix a lot of them on shared hosting. 您将无法在共享主机上修复它们。
解决方案2
0 2013-02-22 18:46:35
Your points addressed in order 您的要点按顺序处理
- Yes, even when connecting to the API, which should be the only option 是的,即使连接到API,这应该是唯一的选择
- Its a good idea, less security exposure. 这是一个好主意,安全性较低。 You will have lower probability that a compromised tenant will compromise your site. 受影响的租户将损害您网站的可能性较低。
- As long as you are not storing or caching the data in any form and using SSL for transit, you wont have to implement encryption on your application. 只要您不以任何形式存储或缓存数据并使用SSL进行传输,就不必在应用程序上实施加密。
PCI requirements may be applicable. PCI要求可能适用。
解决方案3
0 2013-02-22 18:56:27
1) I would serve the entire page through HTTPS to avoid users from getting the alarming message of "some resources are not protected" 1)我将通过HTTPS服务整个页面,以避免用户收到“某些资源未受保护”的警告信息
2) Depends on the integration, if Intuit has provided you with an iframe or form action to use, then sensitive data never reaches your server. 2)取决于集成,如果Intuit为您提供了iframe或表单操作,那么敏感数据永远不会到达您的服务器。 user either type and/or submit it directly to intuit with your page merely as a container. 用户可以直接输入和/或直接提交,直接将您的页面作为容器直接提交。
If the above is true: 如果以上是真的:
3) You don't have to pass PCI compliance. 3)您不必通过PCI合规性。 Intuit already did. Intuit已经做到了。 Sensitive data never reaches your server, thus there's nothing to dispose. 敏感数据永远不会到达您的服务器,因此无需处理任何内容。
4) Shared or dedicated host doesn't really matter since you are not transiting or storing any sensitive information. 4)共享或专用主机并不重要,因为您没有转换或存储任何敏感信息。
解决方案4
0 2013-02-22 19:58:27
- SSL: Yes, of course. SSL:是的,当然。 Between your server and the client, as well as between you and the API. 在您的服务器和客户端之间, 以及您和API之间。
Dedicated Hosting: Ideally, yes.
专用主机:理想情况下,是的。 There are two problems with using shared hosting: 使用共享主机有两个问题: - Anything stored in a session can potentially be retrieved by others on the server. 存储在会话中的任何内容都可能被服务器上的其他人检索到。
- A security breach in a site that is not even yours could lead to a breach in yours. 网站中的安全漏洞甚至不属于您的网站,可能导致您的安全漏洞。
These are primarily the domain of your host's security policies, and are not easily identified by PCI scans.这些主要是主机安全策略的域,PCI扫描不易识别。 - Anything stored in a session can potentially be retrieved by others on the server.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.