I get the impression that credit card information is stored in the same database as login information etc.
Why?
My first thought is that it should be stored on, and never leave, a completely separate system where you have a very limited number of interactions available (reducing the attack vector and making it much easier to spot suspicious activity).
I.e. Charge customer x with y for game z. Refund customer for purchase i (only valid within the refund-period). Add(overwrite)/delete customer data. Where all interactions must be signed.
And nothing more.
Anything less than that and I'm skeptical as to whether you could be considered careful of you customers data. Storing credit card information in the same database as all other user data for a service like steam should be a crime and if it's closely coupled with the forum it's even worse (not that I know if that's the case).
Disclaimer: I don't know any details about this incident more than that Valve seems to be open about it taking place (great!).
Our architecture has a front-end database and a billing database. The credit card number is stored in the billing database, and the details such as the billing address, expiration, etc are stored in the front-end database, since they need to be readable/updatable by the website. I imagine they're similar.
Why?
My first thought is that it should be stored on, and never leave, a completely separate system where you have a very limited number of interactions available (reducing the attack vector and making it much easier to spot suspicious activity).
I.e. Charge customer x with y for game z. Refund customer for purchase i (only valid within the refund-period). Add(overwrite)/delete customer data. Where all interactions must be signed.
And nothing more.
Anything less than that and I'm skeptical as to whether you could be considered careful of you customers data. Storing credit card information in the same database as all other user data for a service like steam should be a crime and if it's closely coupled with the forum it's even worse (not that I know if that's the case).
Disclaimer: I don't know any details about this incident more than that Valve seems to be open about it taking place (great!).