Posted on February 19, 2014 by
One of the biggest challenges of SaaS startups is how they can accept payments online. We have already covered the major payment gateways that startups in US, Europe, Australia and Asia can use. However, some companies opt to store their customers’ credit data in-house. Why would you want to use an in-house database as your credit card vault? And is using a database to store credit card information safe?
Some startups like 37 Signals switched from using third party payment processors to custom in-house systems. However, other companies have tried using in-house systems with disastrous consequences. Many times, headlines detail companies crippled by a breach of data security. Whether it is a large-scale attack or simply a case of an employee abusing access to sensitive cardholder information, the results can be devastating.
Cardholder data stored in a company’s database is exposed to a number of internal and external risks. Companies that fail to safeguard cardholder data not only lose their customers’ confidence, but can also be slapped with heavy fines for being non-PCI compliant and face other legal problems.
Risk of Storing Credit Card Data in Databases
According to the 2012 Verizon Data Breach Report (PDF), databases have the highest rate of breaches among all business assets. The report shows that approximately 96% of records breached are from databases. On the same note, the Open Security Foundation revealed that 242.6 million records were potentially compromised in 2012.
Hackers and malicious insiders target databases for one simple reason; it is where customer records and other confidential business data are stored. When malicious third parties access cardholder data, they can quickly extract value, impact business operations or cause massive damages.
Many startups do not invest in database security as they should. According to the IDC, companies spent less than 5% of 27 billion on security products related to addressing database security in 2011. The vulnerability of databases is based on its technology. Below are some reasons why you should not use your database as a credit card vault.
i) Unused or Excessive Privileges
When employees are given more privileges than their job functions require, they can abuse the privileges. For example, a customer success team member whose job function requires the ability to change customer contact information may take advantage of excess privileges and increase a customer’s account balance.
On the same note, companies often forget to revoke access to database privileges of employees who leave them. If the employees depart in bad terms, they can use their former privileges to inflict damage or steal high value data.
ii) Privilege Abuse
Authorized users may abuse database privileges for unauthorized use. For example, an employee may be granted access to the database with certain limitations such as disabled printing and saving of electronic copies. Continue reading “Your DB is NOT your credit card vault. Here is why” »