tags:

views:

79

answers:

2
Q: 

Storing Credit Card Information

Possible Duplicate:
Storing credit card details

There are many sites that stores the Credit card information. I too, in one of my application , need to store the credit card information in database. But I don't have any idea how to store them. I found somewhere that we can split the credit card numbers in parts and the encrypt them before storing it to database. Although it seems that a good idea, I am curious how the renowned sites like Paypal and amazon.com are doing it. Does anyone know how they are storing the credit card information?

+5  A: 

If you have to ask this kind of question, you almost certainly shouldn't be storing credit card information. It's tricky to get right, and if you make even one small mistake you could cause a lot of problems for a lot of people.

I'd suggest outsourcing it to one of the larger payment processors, so that you don't have to deal with it.

If you want to start learning about the challenges you face, take a look at the Data Security Standards from the payment card industry.

Steven Schlansker  2010-07-19 14:36:50
+1 for the DSS link :)
elo80ka  2010-07-19 14:50:20
Thanks for the link. But I have already gone through it. And I have the absolute concrete requirement that the credit card information should be stored in our system. Otherwise I wouldn't have asked this question :)I have already created a model to store it with encryption by a key and the key being rotated for every credit card number. But still I want to have an idea how these sites are storing the information.
SP249  2010-07-19 16:07:46
A: 

There are many things that need to be done to ensure the card data is secure. What companies you mentioned, PayPal, Amazon and other PaymentsGateway, have gone through is expensive and time consuming. They have to go through annual audits based upon Payment Card Industry standards (PCI). If you choose to go this route, keep in mind that it is expensive to get compliant and espensive to stay compliant.

Another option would be to outsouce the storage of the credit card data to a company that is in compliance with the card storage rules. There are companies out there that store the data and provide you back a token you can use to call the payment data to update or charge.

One that I prefer is: www.paymentsgateway.com

PaymentGuy  2010-07-20 02:45:21

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords