Page 1 of 1
Storing CC Info
Posted: Mon Feb 13, 2006 8:09 am
by Ree
Does anyone of you know a dependable info source with requirements/recommendations of storing credit card info on one's server? I guess it's not enough to only encrypt cc numbers and put them in a mysql db on the same machine the webserver is running on.
I have been doing some debugging of an already existing system (not mine) lately, and to my surprise I found all their users' cc numbers stored unencrypted in their mysql db. Yes, just like that, plain xxxxxxxxxxxxxxxx numbers.
So that's how the question came up.

Posted: Mon Feb 13, 2006 9:36 am
by patrikG
Ree wrote:Does anyone of you know a dependable info source with requirements/recommendations of storing credit card info on one's server? I guess it's not enough to only encrypt cc numbers and put them in a mysql db on the same machine the webserver is running on.
Do you simply want to store the CC information or do you want to set up a payment processor such as World Pay?
Ree wrote:I have been doing some debugging of an already existing system (not mine) lately, and to my surprise I found all their users' cc numbers stored unencrypted in their mysql db. Yes, just like that, plain xxxxxxxxxxxxxxxx numbers.
Off the top of my head:
Check the relevant legislation in your country - some do not allow to store certain parts of a credit card online (e.g. UK where you cannot store the CV2 number).
Bear in mind that even if you are 100% sure of what you're doing, and more importantly of what you're not doing, you are taking on a great risk.
Look into encryption such as SHA (see Feyd's code snippet) and remember that any solution you arrive at eventually which you believe to be secure is not. You will need to store the private key somewhere, make sure that you're not on a shared host and that they have a redundant network.
In short: be paranoid. If you're not when you're doing this, you probably will be at some point in the future when things go pear-shaped. Worst case scenario: legal claims from credit card companies over thousands or hundreds of thousands of bucks (or pounds).
Posted: Mon Feb 13, 2006 9:51 am
by John Cartwright
It has been in my experience to only store the first and last four digits of a credit card. The only reason we ever stored CC numbers was for statements and such. If you wanted your customer to do another purchase or transaction where a credit card was required, ask for it again.
P.S. Don't ever transmit CC numbers without being on a secure connection. Even then, be careful.
patrikG wrote:In short: be paranoid.
*nods*
Posted: Mon Feb 13, 2006 10:27 am
by feyd
My suggestion: don't store the numbers. That information is too "hot" a commodity. I'd suggest using a third party processor who is certified (or whatever) by the various credit card companies. The more they have (and you REALLY need to do due dilligence in them) the better. You'll need to talk to the credit card companies independantly to verify they are an approved warehouse.. The most I would keep is shipping and billing information. Which I would run through a verification with the credit card company 100% of the time. If it doesn't match, deny the purchase.