At the moment I’m setting up an online shop (using OpenCart) for a client. All the the payments and transactions are carried out via payment gateways (PayPal, etc.), so the website never stores payment information (bank details, card numbers, etc.).
However, my client is still concerned about the safety of customers’ personal details (address, DOB, full name, etc.). I’ve explained to him that using SSL, any data transferred between the client and the server IS encrypted, and that it’s normal not to encrypt personal information on the server (I pointed out that even a company as big as Sony doesn’t).
Obviously encrypting the contents of a MySQL is perfectly possible, but of course you still need to place the key on the server. And if someone gets into the server, they’ll get the key as well and simply decrypt the database content.
So is there anything more I can do with regard to STORING personal info more securely? Are there any “industry techniques” I’m missing. Am I correct in thinking that the industry standard is storing personal info in plain text?
Thanks.
Even if you are not strictly required, try to achieve PCI compliance for your scenario. This will give your client peace-of-mind and will require you to follow some industry best-practices. One of the things you will also have to do is get your server scanned–this will establish some basic confidence in your server’s security.
PCI compliance is not a guarantee of security. It’s basically putting a lock on your door and making sure the windows are closed.
The most important thing PCI compliance does not and cannot check is whether your webapp itself is vulnerable. If there’s an SQL injection attack vector in your app somewhere (for example) then your data can be stolen even if you encrypt your entire database and lock it in an underground vault. So get automated test coverage of your application that attempts to attack it. Run those tests regularly.
Some random googled guides to PCI compliance:
Note very carefully: If at any stage your webservers even touch card data, you are required to be PCI compliant. Just because you do not store CC data does not mean PCI compliance does not apply. The compliance level will be less stringent, but there will still be a compliance level.
It’s not clear to me whether PCI compliance applies to your scenario. Basically, if customers enter card numbers into paypal’s website directly and you never know the card number, you do not need to be PCI compliant. If however they enter card numbers into your website and your server passes that data to Paypal via an API, you do need to be PCI compliant even if you are not storing the data they enter!