Let's go, based on the information of your comments, we are out of the log, without access to the server, without access to your codes, we can only assume where the problem is happening.
- Usam SSL.
If all communications use SSL
the problem dies here ... When I say todas as comunicações
I mean that your website should do all communication between browser (client) and your server via https:
, other point is if your ajax
sends the data to .asp
using SSL
communication, if the answer is OK, it would be very complicated if someone could intercept (communication) between browser (client) and server ( nginx, apache, IIS, etc), it would also be very complicated to forge the SSL
to try to get the data bare ...
If the sending of data between your ajax
and .asp
is not encrypted, any sniffer
or arp spoof
running on the network where your server is can read this information, the same happens in the network where is receiving the data, in your case the network where .asp
is, in both cases you are hostage, have no control over any of the networks, sit and cry, or make sure everything is encrypted
- Não salvam nada no banco de dados referente ao cartão
.
If you make sure nothing is saved anywhere, forget bank invasion issues and sql injections
- O Servidor disse que não tem virus.
This is very vague, the problem may be occurring here, it may be a server or vulnerability in your code, there's no point in everything being encrypted via ssl, if your server is compromised, some open ftp port, something that can be exploited by exploits and allow full access to the server, this would ensure that the attacker changes codes in a hidden way and sends forms to the server / pc / database of it ... the same can happen with your php / asp, if you have any holes in them, the attacker can insert hidden code on your server without you having any knowledge.
Imagine that
Hacker
gets a way to access your server, it can accomplish this by exploring http / ssh / ftp / exploits / loopholes in code (php, asp), etc, imagine that I'm on the form and that I am typing my credit card number, ok the data is encrypted via ssl so I press the submit no one in theory could read the transaction, but the data in the form contained on the server side are not encrypted, someone could insert in some location of the code something that holds or sends this data ...
- Quais ações posso tomar para tentar resolver isso? Falando em
programação
Without knowing for sure where the problem is, there is no way to kick it: - (