Website with credit card info securing
 

Hi, I am publishing web site which will hold credit card info and some private data in future. This wont be something big but hope for some customers.

CAn you suggest some links for best practices securing that kind of server.

I have been seaarching google and looking at specific credit card private data securing :), I know it is stupid.

i beleive security is security, but just maybe there are some examples out there someone might know of.

This article from the InmotionHosting knowledge base might help get you started on your research.

http://www.inmotionhosting.com/suppo...best-practices

Full disclosure: I did some work for them about 18 months ago, but am in no way connected with them. I was, however, impressed by their knowledge base.

With respect to system hardening and auditing your distributions documentation (or "Securing Debian", together with the nfo at the SANS Reading Room, OWASP and the CISecurity.org profiles) should provide the first steps. Establish a local and remote baseline scan (GNU/Tiger, OpenVAS) first, then read those docs, implement measures and scan again.

As frankbell already suggested through that link of his PCI-DSS requirements should then be your first stop (and there really is only one source for that: https://www.pcisecuritystandards.org...ity_standards/) but there's graduations so please be specific: are you facilitating or processing credit card payments or not? What HW, network and SW setup (wrt the latter: what software are you exposing) do you have in mind for what you are about to do?

The best practice with CC information is not to store it and to not write it to your drives. If you have it stored, it means someone else may compromise it. You should also very carefully check the terms of service with whatever banking / processing firm you are using because you may be prohibited from storing information sufficient for processing transactions.

Ah thank you guys very much :) . Website will be up August 1. And payment processing September 1. .

There will be checkout so I will work with developers and owner of the website so they do their part and I will do mine :).

Thanks for the infos.

Just to note that if you do intend to go for PCI "Level 1" certification you should be prepared for a lot of time and investment as well as extensive and regular audits of your infrastructure / vulnerability scans of both your internal company infrastructure and your hosting infrastructure. I really would suggest that you DO NOT store any cardholder data unless there is a pressing need to do so. I'm guessing you'll be using a third-party processor such as your bank or PayPal etc. so really you're looking at handing off to their "shopping cart" or processing APIs rather than storing CHD yourself.

(We recently went through the whole process and have achieved PCI Level 1, it took a while!)