Best practices to store CreditCard information into DataBase

views:

342

answers:

+3 Q:

Best practices to store CreditCard information into DataBase

In my country the online payments are not an old thing, the first time i saw a web application taking payments directly to a local bank account was last year.

So, Im a newbie coding web payment system.

My question is, what are the best practices to store creditcard information into the database...

I have many ideas: encrypting the creditcard, database security restriction, etc.

What have you done?

+1 A:

Encrypt encrypt encrypt. Don't decrypt if you don't absolutely have to - don't decrypt to show the last 4 digits. Don't decrypt to tell the user what their card was.

In fact, if you can, don't even keep the encrypted card numbers in the same physical server as the rest of the user information.

dplass 2010-06-08 23:54:24

Thanks, im also thinking to ask for the CVV2 (back three digits code) every time the logged user is going to pay for any product...

Garis Suero 2010-06-08 23:57:56

@Garis another benefit of using the code is that some payment gateways will reduce the transaction few is you use it. At least the bank that we used had lower transaction costs when we switched to asking for the security code.

Waleed Al-Balooshi 2010-06-09 00:00:13

@Garis Suero The CVV2 codes are not allowed to be stored. When you get the CVV2 (and zipcode and other information) your rates will be lower. Often times there are several different rates you might be charged depending on whether it's a rewards card or not, etc.

Cade Roux 2010-06-09 00:25:47

I see, Im definitely not storing the cvv2 code, i will ask for it every time the user is asked to pay for some product...In other hands, i don't think my country have that kind of laws yet, i will investigate further and will let you know in few weeks...

Garis Suero 2010-06-09 03:44:52

+6 A:

At miniumum follow the PA DSS (Payment Appliction Data Security Standard). More info can be found here:

https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

Also it would be wise to look at PCI DSS, which could be found here:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Waleed Al-Balooshi 2010-06-08 23:57:58

*facepalm*, I'm so dumb for not immediately thinking of this.You should definitely look at the PA DSS and PCI standards.

dplass 2010-06-08 23:59:55

Thats very informative... Thanks

Garis Suero 2010-06-09 00:00:08

+8 A:

DON'T DO IT

There is simply far too much risk involved, and you will typically need to be externally audited to ensure that you're complying with all the relevant local laws and security practises.

There are many third-party companies that do it for you that have already gone through all trouble of making sure their system is secure, that they comply with local laws and so on. An example in the US that I have used in the past is authorize.net. Some banks also have systems that you can hook into to store credit card data and process payments.

I realise the country you're in may not have as strict laws as the U.S., but in my opinion that's no excuse for rolling your own. When you're dealing with other people's money, the risk is just too much to warrant.

Dean Harding 2010-06-08 23:59:10

Tthat's an even better answer than mine.

dplass 2010-06-09 00:17:42

I even thought saving creditcard numbers was illegal (Netherlands). So we obfuscated the numbers with ************ in the xml-transaction-logs.

Bob Fanger 2010-06-09 00:25:17

The problem with this approach is that many of that sites have restricted my country as the credit card's country... im going deep with this situation and i will let you know if i can do it with your suggestion...

Garis Suero 2010-06-09 03:48:03

@Garis: Yes, I understand it can be hard depending on your country. I would try asking around with some of the bigger banks, since some of them also provide an API for this kind of thing.

Dean Harding 2010-06-09 04:35:13

Why do we need to store the credit card number?

Raju 2010-06-09 08:15:45

@Raju: the original number typically has to be retained to do subsequent voids, cancellations, refunds. eventually the allowed period for that would expire, and deletion would then be a good idea.

joe snyder 2010-06-09 20:11:21

+1 A:

For this, I recommend a comprehensive, layered approach.

First, storing credit card info should be an option.

Secondly, the data should be stored securely, using a strong form of encryption. I recommend AES with 256bit key size. Make sure when choosing your key, you use the entire keyspace (it's a rookie mistake to just use a randomly generated alphanumericsymbol string as a key).

Third, the AES key needs to be properly secured. Do not embed the value inside your code. If you are using windows, consider using DPAPI.

Fourth, you will want to setup database permissions so that applications and computers will have access on a need to know basis.

Fifth, secure the connection string to your database.

Sixth, ensure that any application that will have access to the credit card data, will properly secure it.

Alan 2010-06-09 00:00:32

AES doesnt have a 512 bit key size. (Rijndael maybe, but not the AES implementation).

PaulG 2010-06-09 06:45:08

You're right. the standard only specifies key sizes up to 256. However there is no practical limit to key sizes.

Alan 2010-06-09 08:22:27

You should avoid storing any credit card information due to the risks to you and to customers of doing so.

Dan from FastSpring E-Commerce

Dan from FastSpring E-Commerce 2010-06-09 20:02:24

ansaurus

tags:

views:

answers:

Best practices to store CreditCard information into DataBase

related questions