lammert
msg:4060272 | 11:39 pm on Jan 13, 2010 (gmt 0) |
| The data will of course be encrypted |
|
How would you do this without having the key on the server? A breach of the server will not only give the encrypted data but also the key. Encryption of data on a web-server gives no extra layer of security, unless it is asymmetric encryption where you need a second key for the decryption phase and where that key is not stored on the web-server. But that is only useful if you don't need to use the data on the web-server and in that case there is no need to safe the data at all.
|
Wittner
msg:4060528 | 10:15 am on Jan 14, 2010 (gmt 0) |
Thanks Lammert. I'm aware of that. What I really want is not to get into a discussion on security per se - really, I want to know if anyone has recommendations for a security audit as in my post, thanks, Wittner
|
lammert
msg:4060583 | 12:47 pm on Jan 14, 2010 (gmt 0) |
You could see my comment as an example what an security auditor might look for. In the end is not the seal which counts but the real security of the data on your machine. The best way to go forward is to read the PCI Compliance Guide and see which compliance level your application should meet. This depends on the type of application and the type of data which is accepted and stored in the application. The next step is to implement all the requirements of that level. The third step is to ask one of the Approved PCI Compliance Vendors who will test your configuration. There is a list available on Internet of these approved test bodies which can be easily found with a search engine.
|
Wittner
msg:4060610 | 1:50 pm on Jan 14, 2010 (gmt 0) |
Thanks Lammert, PCI compliance guidelines are something I'm using but I just didn't want the thread to turn into a load of people telling me how to look after my security and miss the main point. I hope it is understood that no bad feeling was intended. Thanks for the heads-up about the possiblity of a PCI vendor test - I didn't think about that and I'll certainly check it out, cheers, Wittner
|
Wittner
msg:4060612 | 1:51 pm on Jan 14, 2010 (gmt 0) |
btw, are those tests usually automatic, as in, without manual human intervention?
|
lammert
msg:4060621 | 2:18 pm on Jan 14, 2010 (gmt 0) |
Most PCI tests are a combination of a questionnaire which you have to complete, with a periodical automatic scan of your server/application for vulnerabilities from the outside world. On-site assessments are most of the time only for high volume payment processors.
|
Wittner
msg:4060715 | 4:08 pm on Jan 14, 2010 (gmt 0) |
PCI is also very Credit Card oriented. My system won't be storing CC data so I'm not sure how relevant a PCI audit will be, cheers, Wittner
|
lammert
msg:4060734 | 4:23 pm on Jan 14, 2010 (gmt 0) |
Your potential customers are banks and PCI compliance is something they know. Maybe it won't fit your application entirely, but it fits in their world.
|
Wittner
msg:4060765 | 4:46 pm on Jan 14, 2010 (gmt 0) |
Yep. I hear that.
|
|
