Is it safe to store credit card information in a database on a VPS? Or is it best to put it on an absolutely under-utilized dedicated server?
-
If this isn't your datacenter, ask the provider if they are PCI compliant, and if that applies to their VPS as well as dedicated hosting solutions.
Dan Andreatta : PCI compliance is more that just encrypting data. Keeping CC data on a server you do not fully control, it probably means that the hosting company has to be compliant too...From Kyle Brandt -
Unless you are a big shop, I would say no, not safe and not a good idea. You will spend much more money getting PCI compliant and securing the box than you would paying for a payment gateway to deal with this for you.
Satanicpuppy : +1: If you don't know, then you need to be using a third party, and storing next to nothing locally.From sucuri -
Use a reputable third-party payment gateway -- they'll store the credit cards for you, so if you need to initiate another transaction (like a refund or a subscription renewal) you can request it through their secure API.
Often times (for display purposes or binding clients to credit card numbers) the last 4 digits will suffice.
From gravyface -
Just same info on PCI compliance. It takes about 1 year to be compliant, with most of the time taken up by paperwork and documentation. Probably it is not worth it.
And you have to pay top dollars for security consultants that certify you are compliant, of course.
It is a good exercise to read the PCI documentation anyway, since it is basically a collection of good practices.
Zypher : PCI is most definately NOT just papwerwork and documentaion.Dan Andreatta : @Zephyr: you are right, but most of the time to get compliant will be taken up with those two tasks.From Dan Andreatta
0 comments:
Post a Comment