What are some best practices for handling sensitive information?

Question

I'm currently creating an application for a customer that will allow them to automatically bill their customers credit cards.

I'm curious as to what are some best practices to safely store and access the credit card information, and for that matter, any other sensitive information, like social security numbers, account numbers and so on.

I'm assuming encryption of some type will be employed, but before I dig in too deep I wanted to see how others are handling these types of requirements.

Not that it matters, but we are designing the software using Microsoft SQL Server for the database, and using C# and ASP.NET.

Answer 1

Read the PCI requirements. Everything will be there.

Actually, you must follow them.

Answer 2

Don't - I mean, do you really need to?

Answer 3

1 - don't even collect SSNs unless you really need them. And unless you're a bank or the government, chances are you don't.

2 - don't collect other sensitive info unless you really need to

3 - use whatever controls are appropriate (separate machine for the database, firewalled, access controlled, etc) for the stuff youdo really need to keep.

Answer 4

Different PCI standards compliance is required for different applications. If your application simply collects CC numbers and then submits them to a 3rd party PCI compliant payment gateway, your compliance requirements aren't too bad - provided you don't store the card number or CVV.

In terms of logging, you should "gut" the credit card number, e.g. retain the first 6 digits and last 3 digits but obscure the intermediate digits. Do not log CVV at all.

The PCI standard documents go into great detail, but it all depends on the requirements of your application as to what level of compliance you require.

Answer 5

Use aggressive standards to secure the host system both in terms of OS and physical security, such as the NSA guidelines.

Put the database on a separate system from the web server or other functions to prevent physical access and permission escalation exploits.

Program defensively to avoid SQL injection attacks and similar exploits.

When developing, program with security in mind first. Coming back afterwards and applying security will be difficult and error prone.

Try to separate the various parts of the application... i.e. don't use the same viewer or controller for "public" access and "private" access.

Be aware of and comply with all local laws regarding handling of this data... There are a lot of them out there.

Keep a supply of envelopes around to notify your customers in the event of a breach. If you lose information for 26 million customers, you might not be able to acquire enough envelopes to meet the legal timeframe for notifying them of a breach.

Answer 6

Be intimate with the OWASP threats and know precisely how to counter them in your application and framework. It's hard to believe how many people embrace goofy half-solutions to SQL Injection and cross-site Scripting attacks.