Should I store credit card information on my e-store ?

Question

Hi,

I will be using online payment soon for e-commerce website. It will a solution called 'mercanet' that is provided by Atos Solutions and used with BNP Paribas bank. It'll use binary file to do the request, and as far as I read the documentation, I just have to provide some information to a file and then get back an array of the result.

I'm wondering if there are any reasons to store credit card informations ? Because if it's not needed in any way, I won't take the risk to store them, even crypted (because if it's not possible to decrypt it is useless, and if we can decrypt, then the reason is obvious).

Thank you

Edit: the compagny is based in France but sells worldwide.

Answer 1

The general rules is: never store credit card information. There is too much liability if something goes wrong, and the amount of steps you are going to have to take will be huge compared to the benefit.

In the U.S. I believe there are legal implications too about it, but I don't know what the are.

Answer 2

Hi,

Storing credit card information poses a huge liability to you personally and / or your company. It's best not to take on this liability unless there is a really good reason or you have the resources to ensure data saftey. Check out the PCI compliance standards for further information. Some states like Minessota have statutes outlining the damages you will be liable for and I am sure the is not the only state that has law on the books like this. Beware!

Enjoy!

Answer 3

It's probably better just asking the user to re-enter information if necessary than trying to keep it secure and make sure you abide by all the laws, there's a too greater risk especially if the details fall into the wrong hands.

Answer 4

I would suggest not storing credit card information. It will require you to comply with PCI standards, which opens you up to audits. Not to mention that if the information ever gets leaked you will likely get sued. Just have the user enter the information each time.

Answer 5

As others have said, it's probably better to avoid to store the credit card information to limit your liability if you can.

Since you're based in France, you should probably follow the CNIL advice (irrespectively of whether your sell locally or worldwide). I think the main requirements are to register with the CNIL and to inform the users you're going to store their details. Here are a couple of links that might be relevant:

• http://www.journaldunet.com/0307/030715cnilcb.shtml
• http://www.cnil.fr/nc/en-savoir-plus/questionsreponses/ (search for "carte bancaire")

Answer 6

We always recommend strongly against storing CC data.

Answer 7

I looked into interfacing with ATOS/BNP Paribas a few years back, and I can tell you right now - it was a nightmare regarding PCI compliance. Thankfully the project got canned well before we started any indepth analysis, but from what I remember it was as you described, passing plain text card numbers via authorization files, which included the CSC code. Nice. I'm pretty sure the return file also contained sensitive information.

I think end of day settlement was similar, plain text card numbers (no token ids), so you would need to store the card numbers at least until settlement.

I'm not sure how far PCI compliance is to becoming mandatory in France, but for us in the UK it was at a point where PCI was just gathering pace, and this project would have been a major headache. Any time card numbers are persisted to disk they have to be encrypted, and its not as simple as using your favourite encryption routine. You need to consider key management, shared key holders, key rotation and so on.

It's possible things have changed since 2007, it's possible Mercanet is entirely different to the system we were interfacing with (I think it was ATOS Blois)

I would definitely get familiar with the PCI requirements. Spend plenty of time on analysis and strongly consider bringing in a QSA (PCI certified security assessor) for advice at the earliest opportunity.

Answer 8

About the only business reason for storing credit card numbers is recurring payments. However, you have several responsibilities if you support recurring payments: You must follow the terms of your merchant agreement. Most merchant agreements require you to have original signed standing authorizations from credit card holders. This bit of signed paper will help you if the customer challenges your charges. It is best practice to encrypt credit card numbers. This as a mandatory requirement in the PCI guidelines Limit the term of the recurring payment to no more than one year, particularly if you have “Card holder not present” (CNP) transactions Expunge the credit card details as soon as the agreement is finished The problem with encryption is that you must be able to decrypt the data later on in the business process. When choosing a method to store cards in an encrypted form, remember there is no reason why the front-end web server needs to be able to decrypt them. Database-layer column or table level encryption is considered best practice.