On 20 Oct 2015 13:26, "Roger Munford" <rogermunford@???>
wrote:
>
> I am bringing an old desktop payment system up to date to work with the
payment providers new system and also provide a wrapper for a website which
transfers the user to their hosted payment page.
>
> The website is built on the traditional LAMP server. However the website
requires a security key which " is secret and must never be revealed to
anyone and you must ensure that the key is protected on your server by
appropriate security measures such as DPAPI"
>
> I was looking for a Linux equivalent but there does not seem to be one,
but I assume there must be a technique employed on Linux service to
accomplish the same thing.
>
> The payment service providers are a windows shop and aren't very helpful.
>
> Can anybody point me in the right direction?
>
If you are having to become PCI DSS compliant, then things become far more
difficult to get right.
It is far more that just protecting encryption keys.
Linux does have an api for storing keys securly in the kernel. Google linux
kernel key management.
In general, PCI DSS looks for separation of data at differing sensitivity
levels. In some cases, dedicated hardware is used to encrypt credit card
numbers.
In other cases, you separate up the data and store it in different places.
Eg. Credit card numbers on one server, and the rest of the data on another,
and then you look to lock down the credit card server to the max and not
run any services on it apart from the credit card access api and no web
browsers.
Kind regards
James
--
Please post to: Hampshire@???
Web Interface:
https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL:
http://www.hantslug.org.uk
--------------------------------------------------------------