Storing credit card/sensitive data

Discussion in 'Linux VPS/Dedicated - General' started by fumble, Jan 8, 2009.

  1. fumble

    fumble Member


    This is a post aimed at both the community and KH staff specifically.

    I know the general recommendation in the development community is "don't store credit card data at all" and I firmly agree with that. However, surely people can understand that legitimate reasons will arise to store this information once in a while. So my questions are:

    1) What are KnownHost's feelings regarding storing credit card information on a KH VPS? Specifically: a) Is this allowed in your TOS? b) Do you frown on this practice?

    2) If one must store credit card information for a Web application, what are some safe ways to do this? I'm talking general big picture stuff.

    Just putting the feelers out for now. Thanks everyone!

  2. ppc

    ppc Moderator

    There is definitely nothing in the TOS preventing you from doing this. Heck, VPS's are great and recommended for ecommerce purposes.

    What you do need to think about is the liability. It is your responsibility to ensure that the information is safe, secure, encrypted etc.

    If you don't feel comfortable securing the data including the VPS yourself, it would be wise to hire a professional. If the data is stolen, you can be held liable for damages. That's what I would be thinking about and that's regardless if your on a VPS or a dedicated. They both have the same security concerns. Shared hosting is different, because there is no true isolation from one account and the next.

    Also, I think you need to get certified for different things in accordance with Visa/Mastercard/American Express/Discover policies to be able to store the information and process the charges.
  3. DesotoD

    DesotoD New Member

    Personally, I don't like having cc numbers stored on a VPS unless they are broken up.

    I'm about to start a project for a local company and will go with a dedicated with strong firewall, a firewall at the local point, and maybe one in between those two points. Of course we're dealing with a corporate budget but with the alarm about fraud these days, I don't think you can be too careful. Personally, I worry about my card more at Wallyworld than online.

    A few things:

    A TOS that will protect you in the event of disaster. SEE A LAWYER.
  4. fumble

    fumble Member

    Hi DesotoD,

    Would you please expand on what you mean by "broken up?"

  5. Johnw

    Johnw New Member

    CC numbers on server

    Doesn't have anything to do with whether the web server is a VPS or dedicated server but a web server - not a good idea - should be another server on the internal domain behind a good - managed - monitored firewall.

    Your CC merchant account processor will likely require quarterly security scans - as mine did or they will do them for an additional $20 per month. (iPayment) This is to satisfy Visa/Mastercard requirements.

    I moved away from a merchant account to just using Pay Pal - but I have light usage and the fees were getting too high with a dedicated merchant account.

Share This Page