Learn More
Resend Email
6
thelaravelguy
3y

I just got a project that is already developed by a team. It is already in the production and guess what!! They are storing customer’s credit card details in the database 🥸🥸

rant

information security

sensitive data
Favorite
Ranter
Comments
  • 2
    3y
    Congrats you've got the:

    https://youtube.com/watch/...
  • 7
    3y
    That's not wrong to do if the records are restricted from "unauthorised access", but best practise is....

    DELETE THAT SHIT NOW!!!!!!!
    # DROP TABLE card_details;

    Seriously, who dafuq stores CC details in 2021!!

    Ps: yes you can store CC details AND be PCI compliant, no one in their right
    mind would do it though beyond a payment gateway.
  • 1
    3y
    @C0D4 I fear it is still common practice ... well more common than we might think... :(
  • 1
    3y
    @N00bPancakes sadly, you're probably right.

    Best thing to do is delete the data and move on though, If they refuse, get them audited, they'll only fail that thing once before changing their mind.
  • 0
    3y
    @C0D4 as a question, what would be the right way to save a client credit card details so there’s no need titule them every time, as Amazon does for example?
  • 7
    3y
    @eptsousa use tokenisation if available, you store a small hash for reuse, but the payment gateway stores the details.

    Small write up:
    https://squareup.com/au/en/...

    You could use encryption for the CC data, but then the CC details are still in your possession, the token is only valid for the specific merchant and the card so very small foot print of reuse, if it did leak.
  • 0
    3y
    Better than on a network share that can be accessed by anyone...
    I have seen that.
  • 0
    3y
    @C0D4 ty for the article and explanation.
  • 2
    3y
    And if you really need to keep it locally for some reason, make sure the card data is in a separate hardened system only accessible from the inside snd have all other services make calls to that internal service.

    And store all data encrypted with a password solution that in it self is not stored in the same machine but rather have that service call yet another hardened service to decrypt the data on demand.

    That way an attacker need to compromise all of your network to get the full data.
  • 0
    3y
    Usually only 4 digits of the card are stored to identify the provider. But in order to store more details you need to be PCI compliant and follow their guidelines.
  • 0
    3y
    Customer wants to know your location 🤭
  • 0
    3y
    thx fo post)
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment