Information Security
php pci-dss mysql credit-card
Updated Sun, 17 Jul 2022 04:11:03 GMT

Client is not storing Credit Cards Securily (near plain text). How do I convince client to be more secure?


I am writing in regards to PCI-DSS compliance for taking credit cards. A client of mine is not willing / does not want to bump up security beyond what is currently done for their credit card data. All data is currently being stored on a server's MySQL database until it is run through the merchant system manually. Currently, only the credit card number is being encrypted, and only that is using using basic MySQL ENCODE() with an short string as the key. The rest of the information is plain text.

Personally, I am not comfortable with this low level security and they are pushing back for bumping up the security. What should I do / what can I do to explain, encourage, or force PCI DSS compliance or at least a higher level of security?

We are using PHP 5.2 and MySQL (sorry, forget the version number)

If nothing else, is there a way to encrypt it with PHP or MySQL that will be more secure but minimize the work for the client to be more secure.




Solution

You tell them what you know, and then you let them make the decision they want to make. Unless you've been hired to do their PCI audit, this probably isn't your fight. Put together a report explaining the relavant threats and potential issues so that both you and they have it in writing, and then you're done. Specifically, you may want to let them know what sort of attacks they're properly defending against, and what sort of attacks they are not properly defending against as well as what the ramifications may be.

In the end, though, your role is as a consultant, not any sort of enforcement capacity. If you push any further than just giving them advice, you put yourself at significant risk with really zero reward.





Comments (1)

  • +0 – That's what I was afraid of. I have given them a full report about the ease of a breach, types of breaches possible and why this should be a concern. Thank you for your time. — Jan 09, 2013 at 01:44