Hello,
I'm wondering what would be the best way to almost completely lock down a server to the world (except port 80 of course) so that no customer data could ever be gotten to?
What are some good strategies for this? Would some type of hardware firewall be good like a pix box? I am just wanting to make sure that client data is secured such as CC info, bank account, etc. all stored in a MySQL database.
Any thoughts?
Josh
There are many aspects to consider:
Firstly is the phsyical security of the machine. Since this is hosted in the datacenter, it shouldn't be a problem. Or at least there isn't anything you can do about it.
Secondly, an audit of your application is important. There are tools that can assist you with this process, like Paros Proxy. There are other commercial tools that may or may not be more helpful.
An audit of your server is a good idea too. Tools like Nessus (Available to you via Orbit!) is a good one for external audits, although you may want a security professional to audit your system internally for any misconfigurations like file system permission hardening or extraneous service removal.
Finally, encrypt the data in your database.
Firstly is the phsyical security of the machine. Since this is hosted in the datacenter, it shouldn't be a problem. Or at least there isn't anything you can do about it.
Secondly, an audit of your application is important. There are tools that can assist you with this process, like Paros Proxy. There are other commercial tools that may or may not be more helpful.
An audit of your server is a good idea too. Tools like Nessus (Available to you via Orbit!) is a good one for external audits, although you may want a security professional to audit your system internally for any misconfigurations like file system permission hardening or extraneous service removal.
Finally, encrypt the data in your database.
Greetings,
I can tell you that the credit card industry is now requiring merchants to go through a CISP/PCI audit process that assures that you have put in place the proper safeguards for protecting customer data. We just underwent this audit ourselves and passed - but our requirements are probably a little stricter than a small web site's would be. There is some data available on Visa's web site here.
Good luck!
I can tell you that the credit card industry is now requiring merchants to go through a CISP/PCI audit process that assures that you have put in place the proper safeguards for protecting customer data. We just underwent this audit ourselves and passed - but our requirements are probably a little stricter than a small web site's would be. There is some data available on Visa's web site here.
Good luck!
Would you happen to have any CISP/PCI Compliance documentation on the website.
A customer that we are designing a site for ecommerce that is hosted on your servers, requires this documentation.
Jeff Brint
A.J. Bart, Inc.
A customer that we are designing a site for ecommerce that is hosted on your servers, requires this documentation.
Jeff Brint
A.J. Bart, Inc.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.