Ree wrote:Does anyone of you know a dependable info source with requirements/recommendations of storing credit card info on one's server? I guess it's not enough to only encrypt cc numbers and put them in a mysql db on the same machine the webserver is running on.
Do you simply want to store the CC information or do you want to set up a payment processor such as World Pay?
Ree wrote:I have been doing some debugging of an already existing system (not mine) lately, and to my surprise I found all their users' cc numbers stored unencrypted in their mysql db. Yes, just like that, plain xxxxxxxxxxxxxxxx numbers.
Off the top of my head:
Check the relevant legislation in your country - some do not allow to store certain parts of a credit card online (e.g. UK where you cannot store the CV2 number).
Bear in mind that even if you are 100% sure of what you're doing, and more importantly of what you're not doing, you are taking on a great risk.
Look into encryption such as SHA (see Feyd's code snippet) and remember that any solution you arrive at eventually which you believe to be secure is not. You will need to store the private key somewhere, make sure that you're not on a shared host and that they have a redundant network.
In short: be paranoid. If you're not when you're doing this, you probably will be at some point in the future when things go pear-shaped. Worst case scenario: legal claims from credit card companies over thousands or hundreds of thousands of bucks (or pounds).