LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-18-2013, 06:43 PM   #1
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 166

Rep: Reputation: 18
Website with credit card info securing


Hi, I am publishing web site which will hold credit card info and some private data in future. This wont be something big but hope for some customers.

CAn you suggest some links for best practices securing that kind of server.

I have been seaarching google and looking at specific credit card private data securing , I know it is stupid.

i beleive security is security, but just maybe there are some examples out there someone might know of.
 
Old 07-18-2013, 09:47 PM   #2
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 8,235

Rep: Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553
This article from the InmotionHosting knowledge base might help get you started on your research.

http://www.inmotionhosting.com/suppo...best-practices

Full disclosure: I did some work for them about 18 months ago, but am in no way connected with them. I was, however, impressed by their knowledge base.
 
Old 07-19-2013, 02:43 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
With respect to system hardening and auditing your distributions documentation (or "Securing Debian", together with the nfo at the SANS Reading Room, OWASP and the CISecurity.org profiles) should provide the first steps. Establish a local and remote baseline scan (GNU/Tiger, OpenVAS) first, then read those docs, implement measures and scan again.

Quote:
Originally Posted by markotitel View Post
Hi, I am publishing web site which will hold credit card info and some private data in future.
As frankbell already suggested through that link of his PCI-DSS requirements should then be your first stop (and there really is only one source for that: https://www.pcisecuritystandards.org...ity_standards/) but there's graduations so please be specific: are you facilitating or processing credit card payments or not? What HW, network and SW setup (wrt the latter: what software are you exposing) do you have in mind for what you are about to do?
 
Old 07-19-2013, 08:45 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
I am publishing web site which will hold credit card info and some private data in future
The best practice with CC information is not to store it and to not write it to your drives. If you have it stored, it means someone else may compromise it. You should also very carefully check the terms of service with whatever banking / processing firm you are using because you may be prohibited from storing information sufficient for processing transactions.
 
Old 07-20-2013, 12:26 PM   #5
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 166

Original Poster
Rep: Reputation: 18
Ah thank you guys very much . Website will be up August 1. And payment processing September 1. .

There will be checkout so I will work with developers and owner of the website so they do their part and I will do mine .

Thanks for the infos.
 
Old 07-22-2013, 09:10 AM   #6
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6
Posts: 1,601

Rep: Reputation: 483Reputation: 483Reputation: 483Reputation: 483Reputation: 483
Quote:
Originally Posted by unSpawn View Post
As frankbell already suggested through that link of his PCI-DSS requirements should then be your first stop (and there really is only one source for that: https://www.pcisecuritystandards.org...ity_standards/) but there's graduations so please be specific: are you facilitating or processing credit card payments or not? What HW, network and SW setup (wrt the latter: what software are you exposing) do you have in mind for what you are about to do?
Just to note that if you do intend to go for PCI "Level 1" certification you should be prepared for a lot of time and investment as well as extensive and regular audits of your infrastructure / vulnerability scans of both your internal company infrastructure and your hosting infrastructure. I really would suggest that you DO NOT store any cardholder data unless there is a pressing need to do so. I'm guessing you'll be using a third-party processor such as your bank or PayPal etc. so really you're looking at handing off to their "shopping cart" or processing APIs rather than storing CHD yourself.

(We recently went through the whole process and have achieved PCI Level 1, it took a while!)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Warning about Chase Card Services when closing credit card accounts moxieman99 General 8 04-18-2010 04:25 PM
Securing a website directory with ssl? Doctor Doom Linux - Software 1 10-10-2005 07:58 PM
Securing Website spud Linux - General 2 12-04-2004 04:51 PM


All times are GMT -5. The time now is 01:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration