Data Encryption - SQL Server

sist_si

sist_si

sist_si

Associate
Joined
28 Nov 2004
Posts
1,237
Location
Birmingham
Hi guys,
I'd appreciate any advice here!

A client wants to take payments over the web. They can process payments in their office and so want to have their site users c.card data stored in the database until payments are processed. I'd just like to know the best way of doing this in terms of security.
Usually we use the big online payment players like Protx, World Pay, Pay Pal etc but this isn't an option in this case.

We'll have a 128-bit SSL Certificate running on the site when the payment details are passed to the db but I'm not sure of the best encryption method to use. I was looking at setting up an AES Symmetric Key with separate password on the SQL Server but would it be best to encrypt the data before we pass it over to the db or will the SSL do the job on that?

Cheers for any help you can give.

Some spec info - The DB Server is separate to the website server and firewalled to the max. Only the webserver itself can access the db on the internal network and standard port and the connection is a db_reader/db_writer account.
 
i've been playing around with encryption on SQL server and I have something up and running...well, nearly.

Here goes....I'm using a master key on the database with a certificate and symmetrical key.
I have a stored proc called with my website db_reader/writer login which I 'execute as' a db_owner Login I created which in turn is set to 'Deny' connect permission to the database engine in its properties. I'm hoping this stops anyone from the web trying to login with db_owner permissions....I really do hope it does :)
While executing, my stored proc (as the db_owner) I grant control of the certificate and view of the key to my website user, encrypt and insert the data then revoke the certificate and key privilages.

How does that sound?!
I'm just really worried about having to use that db_owner user but I tried and it doesn't seem to let me connect with it as I planned.

Any advice!
 
Cool. Cheers cjmUK. I'm in talks with our server host who say they're going to investigate the best ways of doing everything at issue here.

They say the communication between our web and db server is private so no one should be able to access it but we'll see what they find.
 
You must log in or register to reply here.
Back
Top Bottom