inveni0 - 1:05 pm on May 1, 2013 (gmt 0)
Do you have any recommendations?
They aren't getting the records easily. The database is remotely hosted, but since it is accessed, I imagine that it is also vulnerable, and that's why I want to add an extra layer of encryption.
Please don't lay into me with the usual "what are you stupid enough to do that for" business. I don't have the patience. This is a website used for a purpose that requires the storing of credit card numbers. If it could serve its purpose without storing numbers, then of course it wouldn't. But it must. Thankfully, there is something called PCI Compliance, which the site adheres to completely, exceeding its level of security in many places. PCI compliance is in place because credit card numbers sometimes need to be stored. Do you think your credit card processor doesn't store them? They do, because they need to. We also need to store them, and that's why as much extra security and obfuscation as possible is good for the application. In fact, many competing sites don't even meet PCI compliance in the first place--by doing things like storing not just the credit card number, but also the security code on the back.
I understand that there is always a hack. Even major corporations like Sony, LivingSocial, Microsoft, etc, etc, have to deal with exploits. That's the nature of information.
My goal here is to simply layer another line of protection into the procedure, so that the application we run offers another step above the minimum security requirements. So I'm looking for people to attempt to reverse engineer the new layer of protection. It will serve as another layer against the basic SQL exploits, if one exists.