tags:

views:

279

answers:

3
+3  Q: 

Safe way to Store Credit Card Info Across Pages ASP.NET MVC

Hello, I'm running ASP.NET MVC and need a safe way to store credit-card data temporarily (I have a order confirmation page, which posts to an action that actually processes the order). I tried TempData, but it doesn't survive the post. Can I safely use session since it's stored on the server?

Thanks.

+3  A: 

Sessons are insecure (thanks to the commentors for correcting me on this). Not only are they susceptible to a brute-force attack, there are several other vulnerabilities. http://www.dreamincode.net/forums/showtopic61503.htm

If you absolutely must use sessions to store your data, make sure to use a suitable session timeout so that people don't accidentally leave their credit card details on a public computer.

I would strongly recommend, however, that you review the Payment Card Industry Data Security Standard (PCI DSS). https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

David Pfeffer  2010-01-08 00:53:20
+1 (in a big way) for PCI DSS. -1 (in a big way) for "sessions are secure". Sessions are *insecure*. And no, you don't need brute force to steal them. Google ASP.NET session hijacking.
Craig Stuntz  2010-01-08 13:18:43
@Craig Thanks for that, I corrected the answer. I had no idea!
David Pfeffer  2010-01-08 14:30:53
+1 Thanks, @bytenik. I will be sure to follow those policies.
jchapa  2010-01-08 18:41:14
+4  A: 

You really shouldn't even be requesting the numbers until the last step in the process. Additionally, you should be using SSL for the entire span of the process too. If you decide to store them in Session, encrypt them just for an added degree of safety.

Jonathan Sampson  2010-01-08 00:53:23
Good advice. I knew that you had to follow certain policies if you persisted the data, but was glad I asked before throwing them in Session State (even using SSL).
jchapa  2010-01-08 18:40:44
A: 

Session state will persist the information, but it is not secure. Be aware that any kind of persistence may be violating the terms of service with the bank or credit agency. Most of them have very strict regulations on what you're allowed to do with this information.

Aaronaught  2010-01-08 00:53:55
Apparently my answer implied that "sessions are secure". I don't think I said that, and even pointed out that persisting CC's at all is something you shouldn't do, but in any case, I edited to make that point more clear.
Aaronaught  2010-01-08 15:23:10

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security