Hi friends

I have an application where i need to accept the Credit card details from the user and it is processed only after a time period. So i doubts how securely i should store this sensitive information in the database.

Can anyone put forward any ideas for the same would be much appreciated,

Thanks

Sujith PV

Is your server:

• a dedicated server?
• bolted to the floor?

You will need to store the credit card number in an encrypted format and log all access to it.

These are just a few of the PCI rules: for full details see

• http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
  

Key management is usually the sticking point for this type of security.

You might consider using SQL symmetric keys and certificates.  That way, SQL will do much of the key management for you.

Example:

CREATE CERTIFICATE [CCCert]
    AUTHORIZATION [ccuser]
    WITH SUBJECT = N'CC Certificate',
    START_DATE = N'1/1/2008 12:00:00 AM', EXPIRY_DATE = N'12/31/2010 12:00:00 AM'
    ACTIVE FOR BEGIN_DIALOG = ON;

CREATE SYMMETRIC KEY [CCKey]
    AUTHORIZATION [dbo]
    WITH ALGORITHM = AES_128
    ENCRYPTION BY CERTIFICATE [CCCert];

begin transaction
	open symmetric key CCKey decryption by certificate CCCert
	insert into [CCSchema].[CCData]
		(UserId, CCNumber)
		values
		(@id, encryptByKey(Key_GUID('CCKey'), @ccnumber))
        close all symmetric keys
commit transaction

If your DB isn't on the same machine as your web app, you should be sure to use IPSec to protect the link.

In the example above, only the DB user "ccuser" will be able to encrypt or decrypt the data.