Storing credit card/sensitive data



This is a post aimed at both the community and KH staff specifically.

I know the general recommendation in the development community is "don't store credit card data at all" and I firmly agree with that. However, surely people can understand that legitimate reasons will arise to store this information once in a while. So my questions are:

1) What are KnownHost's feelings regarding storing credit card information on a KH VPS? Specifically: a) Is this allowed in your TOS? b) Do you frown on this practice?

2) If one must store credit card information for a Web application, what are some safe ways to do this? I'm talking general big picture stuff.

Just putting the feelers out for now. Thanks everyone!

There is definitely nothing in the TOS preventing you from doing this. Heck, VPS's are great and recommended for ecommerce purposes.

What you do need to think about is the liability. It is your responsibility to ensure that the information is safe, secure, encrypted etc.

If you don't feel comfortable securing the data including the VPS yourself, it would be wise to hire a professional. If the data is stolen, you can be held liable for damages. That's what I would be thinking about and that's regardless if your on a VPS or a dedicated. They both have the same security concerns. Shared hosting is different, because there is no true isolation from one account and the next.

Also, I think you need to get certified for different things in accordance with Visa/Mastercard/American Express/Discover policies to be able to store the information and process the charges.
Personally, I don't like having cc numbers stored on a VPS unless they are broken up.

I'm about to start a project for a local company and will go with a dedicated with strong firewall, a firewall at the local point, and maybe one in between those two points. Of course we're dealing with a corporate budget but with the alarm about fraud these days, I don't think you can be too careful. Personally, I worry about my card more at Wallyworld than online.

A few things:

A TOS that will protect you in the event of disaster. SEE A LAWYER.
CC numbers on server

Doesn't have anything to do with whether the web server is a VPS or dedicated server but a web server - not a good idea - should be another server on the internal domain behind a good - managed - monitored firewall.

Your CC merchant account processor will likely require quarterly security scans - as mine did or they will do them for an additional $20 per month. (iPayment) This is to satisfy Visa/Mastercard requirements.

I moved away from a merchant account to just using Pay Pal - but I have light usage and the fees were getting too high with a dedicated merchant account.