On Tue, Nov 6, 2007 at 16:29:46 +0000 (+0000), Alex wrote:
> It all looks pretty standard to me. The only thing you didn't mention is the
> security on the wire between your PHP code and the SOAP server. How secure
> is it? Is the SOAP server on a third party or hosted within the same
> organisation?
Roger did say https to answer the first part. Just a few more
comments:
a) is the SOAP message (in particular the credit card details) ever
held at all - e.g. "temporarily" until you get a SOAP response?
b) might be worth using one of the credit card number verification
bits before you even make the SOAP call
c) security on the LAMP box:
- separate box for DB
- restrictive DB permissions (or even better an API to the DB - i.e.
no SQL access)
- HIDS on the box (osiris is very good) to see if it's hacked
- usual firewall, ssh disabled from insecure IP etc
- DB details for php outside webapp directory, secured permissions
d) presumably you have "certificate _must_ match" on that https
connection - you don't want to send the details to the wrong 3rd party
Adrian
--
Email: adrian@??? -*- GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution -*-
www.debian.org
