Quote from: netProphET at Aug 29, 2007, 09:14 PM
Even storing data encrypted on a shared web host does not meet Visa or Mastercard’s security requirements if you follow them to the letter.
True enough. If you’re going for PCI compliance, I don’t think shared hosting is a possibility.
Quote from: netProphET at Aug 29, 2007, 09:14 PM
Unless by "sensitive" you just mean identity type stuff like name, address etc. But storing a person’s financial information, even with some encryption types, on a shared web host should be illegal, if it’s not already.
I meant pretty much everything. The fact is that even if CC data is stored and encrypted (which, believe it or not, it isn’t always), the key to decrypt things has got to be somewhere on your server anyway. If somebody has db access, odds are they’re savvy enough to find your key too, which makes your encryption moot.
I fully agree that ecommerce on shared hosting is a very very bad idea. Even on a dedicated server you’ve still got to know your stuff enough to regularly apply security patches and such, but at least you know that you’re the only one that can mess things up. And sometimes that’s the best you can hope for
It’s just that with shared hosting... most of the time you’d probably be fine, but there’s just so much that’s out of your hands that it’s kind of scary from a security (and liability) point of view.
