Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
C0D4669444yThat's not wrong to do if the records are restricted from "unauthorised access", but best practise is....
DELETE THAT SHIT NOW!!!!!!!
# DROP TABLE card_details;
Seriously, who dafuq stores CC details in 2021!!
Ps: yes you can store CC details AND be PCI compliant, no one in their right
mind would do it though beyond a payment gateway. -
@C0D4 I fear it is still common practice ... well more common than we might think... :(
-
C0D4669444y@N00bPancakes sadly, you're probably right.
Best thing to do is delete the data and move on though, If they refuse, get them audited, they'll only fail that thing once before changing their mind. -
eptsousa3734y@C0D4 as a question, what would be the right way to save a client credit card details so there’s no need titule them every time, as Amazon does for example?
-
C0D4669444y@eptsousa use tokenisation if available, you store a small hash for reuse, but the payment gateway stores the details.
Small write up:
https://squareup.com/au/en/...
You could use encryption for the CC data, but then the CC details are still in your possession, the token is only valid for the specific merchant and the card so very small foot print of reuse, if it did leak. -
Voxera113974yAnd if you really need to keep it locally for some reason, make sure the card data is in a separate hardened system only accessible from the inside snd have all other services make calls to that internal service.
And store all data encrypted with a password solution that in it self is not stored in the same machine but rather have that service call yet another hardened service to decrypt the data on demand.
That way an attacker need to compromise all of your network to get the full data. -
Usually only 4 digits of the card are stored to identify the provider. But in order to store more details you need to be PCI compliant and follow their guidelines.
Related Rants
-
TheBishSlap18As a firm supporter of information security, it really "irks" me to see people get up and walk away form their...
-
Condor11Long rant ahead.. 5k characters pretty much completely used. So feel free to have another cup of coffee and ha...
-
blackbeard6Google was hiring till the last week. If you didn't apply, don't worry. They already has all your information....
I just got a project that is already developed by a team. It is already in the production and guess what!! They are storing customer’s credit card details in the database 🥸🥸
rant
information security
sensitive data