Storing CC Info

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

Storing CC Info

Post by Ree »

Does anyone of you know a dependable info source with requirements/recommendations of storing credit card info on one's server? I guess it's not enough to only encrypt cc numbers and put them in a mysql db on the same machine the webserver is running on.

I have been doing some debugging of an already existing system (not mine) lately, and to my surprise I found all their users' cc numbers stored unencrypted in their mysql db. Yes, just like that, plain xxxxxxxxxxxxxxxx numbers.

So that's how the question came up. :)
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Ree wrote:Does anyone of you know a dependable info source with requirements/recommendations of storing credit card info on one's server? I guess it's not enough to only encrypt cc numbers and put them in a mysql db on the same machine the webserver is running on.
Do you simply want to store the CC information or do you want to set up a payment processor such as World Pay?
Ree wrote:I have been doing some debugging of an already existing system (not mine) lately, and to my surprise I found all their users' cc numbers stored unencrypted in their mysql db. Yes, just like that, plain xxxxxxxxxxxxxxxx numbers.
Off the top of my head:

Check the relevant legislation in your country - some do not allow to store certain parts of a credit card online (e.g. UK where you cannot store the CV2 number).

Bear in mind that even if you are 100% sure of what you're doing, and more importantly of what you're not doing, you are taking on a great risk.
Look into encryption such as SHA (see Feyd's code snippet) and remember that any solution you arrive at eventually which you believe to be secure is not. You will need to store the private key somewhere, make sure that you're not on a shared host and that they have a redundant network.

In short: be paranoid. If you're not when you're doing this, you probably will be at some point in the future when things go pear-shaped. Worst case scenario: legal claims from credit card companies over thousands or hundreds of thousands of bucks (or pounds).
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

It has been in my experience to only store the first and last four digits of a credit card. The only reason we ever stored CC numbers was for statements and such. If you wanted your customer to do another purchase or transaction where a credit card was required, ask for it again.

P.S. Don't ever transmit CC numbers without being on a secure connection. Even then, be careful.
patrikG wrote:In short: be paranoid.
*nods*
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

My suggestion: don't store the numbers. That information is too "hot" a commodity. I'd suggest using a third party processor who is certified (or whatever) by the various credit card companies. The more they have (and you REALLY need to do due dilligence in them) the better. You'll need to talk to the credit card companies independantly to verify they are an approved warehouse.. The most I would keep is shipping and billing information. Which I would run through a verification with the credit card company 100% of the time. If it doesn't match, deny the purchase.
Post Reply