Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
I'm approaching Alpha stage with a web app and since it will hold personally sensitive data (not credit card info) I want to gain the trust of users by having some sort of 'seal of approval' from a reputable agency. The data will of course be encrypted and I will have used best-practice in terms of the coding, but I would like to have that independently verified.
What companies would anyone here recommend for an audit such as this? PWC and KPMG would be an option but I'm not sure what sort of figures we're talking about for an audit - any ideas anyone? Also, would an 'off the shelf' option such as MacAfee be of any real security benefit?
Among potential customers will be banks so I imagine we're talking about something which would please that level of client,
Any thoughts or suggestions welcome,
The data will of course be encrypted
How would you do this without having the key on the server? A breach of the server will not only give the encrypted data but also the key. Encryption of data on a web-server gives no extra layer of security, unless it is asymmetric encryption where you need a second key for the decryption phase and where that key is not stored on the web-server. But that is only useful if you don't need to use the data on the web-server and in that case there is no need to safe the data at all.
The best way to go forward is to read the PCI Compliance Guide and see which compliance level your application should meet. This depends on the type of application and the type of data which is accepted and stored in the application.
The next step is to implement all the requirements of that level.
The third step is to ask one of the Approved PCI Compliance Vendors who will test your configuration. There is a list available on Internet of these approved test bodies which can be easily found with a search engine.
PCI compliance guidelines are something I'm using but I just didn't want the thread to turn into a load of people telling me how to look after my security and miss the main point. I hope it is understood that no bad feeling was intended. Thanks for the heads-up about the possiblity of a PCI vendor test - I didn't think about that and I'll certainly check it out,