12

How do you save important(privacy-wise) user data like SSN, Credit Card Numbers and Addresses in databases?

Scenario:
Only data which needs to be available is saved. For eg, SSN is saved because the app uses the SSN to identify a particular record. or credit card details are saved to make 1-click transactions possible.Some such data can be encrypted and saved, but some data needs to be available in plain text(eg. for full text search). The app uses third party hosting.

Questions:
How secure is such data in plain text(or otherwise) on third party hosts like HostGator or App Engine?

Do you save such data on third party hosts(and is this practice recommended)?

Do you store it in plain text or do you encrypt such data?

Should only those companies who have the resources to have their own servers proceed to build such apps?

abel
  • 697

2 Answers2

5

  • You need to investigate your legal liability first - which differs from country to country. For example, financial data in the UK cannot be stored in a server in a non UK, (or non EU country depending on what that data is).

  • Data is never 100% secure when unencrypted, heck it's not even 100% safe when encrypted, but a good encryption algorithm and keeping keys nice and safe make it pretty darn secure.

  • Yes I can recommend hosting on 3rd parties, especially if you can't afford to create and maintain that data warehouse infrastructure. Again it depends on your data and business.

  • Always frickin encrypt any data that is private or business critical. Never trust a third party :).

  • Tons of business use 3rd party data hosting, you don't need to run your own farm. Of course people like twitter, Google and Facebook value their data so much that they'd never dream of storing their data on a 3rd party host.

Hope that helps!

Martijn Verburg
  • 22,016
3

Since you're including credit card numbers, you might want to look at the PCI data security standards in use. While the Wikipedia article doesn't seem to mention third-party hosts, the requirements to track access make this seem unacceptable. This is the minimum necessary to accept credit cards yourself (at least in the US).

There are sufficiently many potential legal and compliance issues that I'd think hosting one's own servers wouldn't be much of an additional expense.

David Thornley
  • 20,310