What is the most secure way to store sensitive images on website?

Question

I have a client who is wanting to store uploaded images of customers credit cards on the server.

Is there a best practices guide for preventing outside access to the images or protecting from an attack?

Currently using a few htaccess to prevent users from accessing folder but it doesn't feel very secure.

Answer 1

1. Storing actual images of credit cards is a terrible idea.
2. Get legal help

These are just minimum guidelines not hard fast rules that you can take into court.

At minimum the raw data would have to be encrypted. Your better off creating a database, and having the data transcribed or OCR into normal fields.

I am sure the PCI-DSS has guidance for what level and type of encryption is needed to protect the database.

A database is better because the actually data lives outside the reach of the web server. Then the PHP would have to give a secure username and password to access the data because it has to authenticate against the database.

The username and password would have to be manually entered by the end user or site administrator to access the data.

There is a lot of hardening your going to have to do to make it acceptable.

Here is a starting point. https://security.stackexchange.com/questions/59520/how-to-store-credit-card-information-for-repeated-transactions-and-still-be-pci

Ask more question in the security community at stack exchange.