current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
up vote 1 down vote favorite

Nowadays there are a lot of hacked websites with stolen Login information. When it happens, pretty often they state that no credit card data and / or payment information were stolen.

Now I wonder: WHY? What I assume is: That both, the database storing the payment data and the one storing user-credentials are separated from each other. So far so good. But what I do NOT understand: Why shouldnt they be able to find access to the database storing payment information?

IMO the latter is still visible / accessible from the outside; that is because users of the website can also view / add / edit their own payment information, e.g. whether they want to use paypal / credit card / IBAN. So the database is obviously accessible from the "outside world".

share|improve this question
2  
A lot of payment providers will exchange payment information for a token that can be used to refer to that information on their systems without actually having it in the clear (and no, you can't go back and exchange the token for the information itself). So the breached systems only hold references to payment data stored on separate systems. – André Borie 58 mins ago
    
To slightly extend on the above comment, many sites just don't store the card data themselves - it's a lot of hassle in terms of security and regulatory compliance. This leaves a few major providers taking care of that extremely sensitive data and as we can see by the number of times payment data is exposed compared to the number of breaches- seems to work quite well. – iain 20 mins ago
up vote 0 down vote

In the case of recently disclosed Yahoo data breach where 1bn user account information was stolen, it transpired that no credit card information was stolen because it was kept in a separate database in encrypted format.

Most organisations have rigid and robust methods to store credit card information, typically in a separate database and encrypted. This helps organisations to protect highly sensitive data against data breaches.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.