Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Re^2: collecting sensitive data

by casimo (Sexton)
on Jul 17, 2009 at 00:23 UTC ( #780894=note: print w/replies, xml ) Need Help??

in reply to Re: collecting sensitive data
in thread collecting sensitive data

Thanks for the replies.

I have convinced the client to not store any of the sensitive data online...however, they do need to collect this information from the site somehow.

Any thoughts on how to simplify things? Perhaps encrypting the sensitive data and emailing it to the client? (maybe breaking the data into two emails?)

I know PCI issues will still exist (for the client), but I want to make sure that my link in the chain is secure.

Replies are listed 'Best First'.
Re^3: collecting sensitive data
by Your Mother (Archbishop) on Jul 17, 2009 at 02:41 UTC

    Email can be made secure but I believe it is probably more difficult than doing it in a limited access DB with a site under SSL/HTTPS. Plus it initiates a situation where an end user can accidentally broadcast sensitive data with a careless forward/CC or an Outlook virus or whatever. I'd say steer completely away from email and encourage your customer(s) to think the same. Consider any bank or serious online store you've ever visited. There is not one that would send any of this stuff that way.

    I don't mean to be discouraging either. I think it's possible to do this right. Just be very careful and please seek a project review as grep and I suggested before you flip anything live. You could theoretically do something like a hacker prize too. Offer $250-500(?) to anyone who can get a dummy account -- and explain how s/he did it -- out of a test deployment of your code.

Re^3: collecting sensitive data
by Your Mother (Archbishop) on Jul 17, 2009 at 07:21 UTC

    I endorse the amendment ig gives below: an earlier review is a better idea. As for frameworks: none I know but I'll bet there are some options. I've worked within an established codebase taking cards and SSNs (and it was chillingly insecure). I never had to do one from scratch and even after a decade of CGI/web-apps I'd still be nervous, extremely cautious, and thorough.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://780894]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (1)
As of 2022-01-19 05:49 GMT
Find Nodes?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:

    Results (55 votes). Check out past polls.