9

I'm building a custom e-commerce site, and the user will input their credit card details on the site instead of being directed to the payment gateway's site.

I'm confused as to what the critical steps are that I need to take to secure the credit card transaction.

Payment gateways are obviously trying to sell SSL certificaes but my understanding is that the main purpose of those is to provide authentication, and not encryption of credit card details. / What steps do I need to take to ensure the customer's credit card details (and other information passed via XML to the payment gateway) are secure?

Thanks

AviD
  • 72,138
  • 22
  • 136
  • 218

3 Answers3

10

@Jeremy, first thing you need to do is read the PCI-DSS.
That should provide a very good beginner checklist for you. Also, you don't really have a choice in the matter, if you want to accept credit cards you must comply with PCI.

In fact, you'd be better off NOT accepting credit cards, and having other service do that for you - Paypal, payment gateways, whatever. After reviewing PCI you'll probably agree with me...

Here's a few highlights, FAR from complete:

  • Protect all communications, using SSL/TLS with the certificates, including both encryption and authentication (of the server)
  • Authenticate all users (a lot of work around password policy and such)
  • Control access to the application, servers, and database
  • Never store credit card details, only encrypted PANs
  • Never store track data, CVV etc AT ALL
  • Secure your site so its not easily breakable
  • Monitoring, policies, etc etc and lots more...
AviD
  • 72,138
  • 22
  • 136
  • 218
  • +1 on the 'get someone else to do it for you' piece. This side of the industry is very well developed now and the most of the main providers understand security architecture, secure development and testing and audit - you can't absolve all responsibility for security, but if you can gain assurance that a provider will do this to the level you need then you just need to worry about your end. – Rory Alsop Dec 19 '10 at 12:13
  • @Rory, I wish that were true :). But, it does bring up once again [ *AviD's Law of Compliance* ](http://security.stackexchange.com/q/622/33#631): "PCI compliance reduces the risk of the penalties of non-compliance" – AviD Dec 19 '10 at 12:55
  • With your permission - I'd like to quote AviD's law of compliance on the PCI-DSS side :-) To be honest, I wasn't really including PCI-DSS as 'assurance' on this - my view of assurance is considerably more in depth! – Rory Alsop Dec 19 '10 at 18:58
  • @Rory - I'd love that! :D – AviD Dec 19 '10 at 19:33
  • +1 for passing the buck. The cost of compliance is very often *MUCH* higher than the cost of outsourcing. – Scott Pack Dec 20 '10 at 15:19
6

To add on to the answers already given, if you're going to process Credit Card details it's well worth reviewing the OWASP Top 10 and ensuring that you're taking account of all the risks there (demonstrating that may well help with your PCI compliance as well).

For some more in depth information on that side of things you could also look at the OWASP Development Guide.

FWIW I'd agree with @AviD that if you can avoid processing Credit card information, it'll make your life a lot simpler from a compliance and likely a security perspective.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
1

If you are building e-commerce site, then you should realize what responsibility you have to handle. At this point I would suggest you to run security audit and pentest (both are not equal). Sure, you should not rely only on security provider solutions and hints - that what I am recommending is post-check.

@AviD mentioned PCI-DSS, what is the key of user data robust integrity and security solution. However, many developers fails to satisfy all standard requirements. That's why if you are not sure about how to start, what to do or simply want to feel safe - I am recommending to address to company that would conduct security checks.

Update: just to clarify - that what I am recommending are steps that should be done after application is built, when you think you are ready to start running it for broad audience. Later it could be revealed that you are not ready at all and requires several revision steps.

  • @Ams, while I'm all for the different types of test, you can't *test* an app secure. Besides, its not built yet - he's asking what he should do now. – AviD Dec 19 '10 at 23:14
  • @AviD - I understand that app is not built yet, I am about further steps. And I could not understand what does it means "you can't test an app secure". –  Dec 20 '10 at 10:35
  • @Ams of course I agree with the further steps, however thats not what @jeremy was asking for... Perhaps if you emphasized this as advice for the future... I meant that you cannot make an app secure simply by testing. – AviD Dec 20 '10 at 10:38
  • @AviD, ah, now I understood you. Then here was some kind of confusion. Sure application can not be built secure only by testing it. It's quite obvious. Then it would remind something like enumeration of best ways of "how-to". –  Dec 20 '10 at 10:49