Z
Z
Zulusho2018-03-13 12:28:02
Information Security
Zulusho, 2018-03-13 12:28:02

Storing mobile phone numbers and credit cards in the clear?

Hello, there is such a task:
Users enter their number, it is confirmed by SMS.
The user makes a transfer of funds from the card of one green bank to the manager, after which the manager confirms the payment.
Since the green bank can only return the name of the payer and the last four digits of the card number (and the amount of the transfer), the manager can look up payment on the statement using this data. We receive data about the card and the name of the payer from the user.
If the payment is not confirmed, the manager calls the client at the number that we have confirmed.
Accordingly, the manager must receive in a readable form data about the payer, about the card (last 4 digits), and about the number.
One user can pay to an unlimited number of managers and one manager can receive an unlimited number of payments from an unlimited number of users.
The question is how to store this data in the database as safely as possible?
Is it safe to keep them open? OWASP forbids doing this

Answer the question

In order to leave comments, you need to log in

4 answer(s)
A
Alexander Aksentiev, 2018-03-13
@Zulusho

OWASP forbids doing this

Well, encrypt with any cipher - this automatically makes them unopened. This is exactly what your link says and lists options for how to hide data. It doesn't have to be irreversible hashing.
even with encryption, when accessing the server / sources, the data can be decrypted, and this does not add security in any way.
It will protect if the data is merged without access to the code or the entire server, through a standard injection, for example, on a website.

C
cicatrix, 2018-03-13
@cicatrix

If "as secure as possible" then, of course, encrypt.
To search, you can stupidly repeat in the next field in unencrypted form 4 digits that you receive from the bank.
And yes, if "maximally safe", then each record should be encrypted with its own key, which, of course, should not lie next to the record.
In general, this is all verbiage: 100% security does not exist. Determine the threat scenario - what exactly do you want to protect against, determine the most likely attack vectors for your data, try to close at least them. Security is a COMPLEX of measures (starting with how confident you are in the reliability of your managers / admins that they will not leak the base to an attacker). Bribery is sometimes cheaper than bribery.

S
Sergey, 2018-03-13
@feanor7

What you collect can be classified as personal data. Regulates 152-FZ, processing has its own requirements, in particular the use of certified protective equipment. Which basically closes your question.
They may not be caught for this, there are a lot of firms, they will not bypass everyone. But an open user base with phones ...))) Well, let's do it, you will have it 9 out of 10 closed, from the outside world, but open for internal access. e Excel file you will generate)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question