views:

266

answers:

4

I want to allow my customer users to enter their credit card information so that I can charge them every month.

I wonder how one should save this information?

Should it be saved in the MySQL database ("user" table) or is this kind of information too sensitive and need to be stored in another place?

I have no experience of this and would be glad if someone could advice me how to accomplish this.

Thanks.

A: 

I would suggest that where you store it isn't the issue, the key is to encrypt the ever loving heck out of it.

You did not specify why you need their CC information (which should always be an option presented to the user).

So:

  1. You said customer 'enters' CC so I assume it is transported over the net. It better be a secure (SSL, SSH) path.
  2. It should not be stored in memory in clear form, it should be encrypted
  3. It should not be persisted in clear form, it should be encrypted

If I were a user and you told me "Hey, it's safe... I store it in a database", I'd promptly demand that you remove ever aspect of my data from your system.

Frank C.
eg. how do Spotify and Basecamp store it? in the database encrypted? with ssl and ssh u mean https? that is the same thing?
never_had_a_name
*"I would suggest that where you store it isn't the issue, the key is to encrypt the ever loving heck out of it."* -- well, in a certain way it is..Store it far, far away from the key :-)
Luther Blissett
If you are using HTTP protocol, yes... go with HTTPS but this encrypts in transit.. you still need to be concerned at the appside. As far as Spotify or Basecamp... read their documentation but I would personally encrypt it in memory before persisting.
Frank C.
@Luther - I would not store unencrypted CC data on Mars if I had the option. You know those Martians are big thieves!
Frank C.
-1 - no matter how much encryption you perform, it's still illegal if not compliment with PCI
gnome
+10  A: 

The safest way is to NOT store the credit card information on your system, but let a 3rd party payment provider do it for you.

ZippyV
how? which ones? could u give me some more information
never_had_a_name
Paypal is a good example.
ZippyV
That way all the legal issues will be with the 3rd party.
Gert G
+1 - unless your client is PCI Compliant, www.pcicomplianceguide.org/pcifaqs.php, then don't do it. You could be getting you and your client into a world of hurt. Use a payment processor like PayPal (but their fees are outrageous), GoogleCart, Authorize.net
gnome
@ZippyV: how will it work then paypal store the CC information? if i have a user with username "[email protected]". how could i retrieve the CC information stored in Paypal for using it with other payment services? i dont get the coupling. could u please explain?
never_had_a_name
Paypal doesn't give you access to his CC information because you don't need it. When 'peter' says on your website that he wants to subscribe to service A you redirect him to the Paypal website and submit other information like his username, the name of the service and the price he must pay. The only information you get (and need) from Paypal is if the transaction succeeded or not.
ZippyV
@ZippyV: But then the problem is that he has to retype the information everytime he is buying something from me? Or does he need to have a Paypal account then? Cause i know Spotify doesnt have it like this. I wonder how they do.
never_had_a_name
You said in your question that you want to bill every month. I assume that's a subscription and Paypal supports recurring fees.Having a Paypal account makes it easier but it's not necessary for the customer.
ZippyV
@ZippyV. if the customer doesnt have a Paypal account, then he has to enter the CC information each time for one-time-buys?
never_had_a_name
Yes, he will have to enter his cc information each time.
ZippyV
+5  A: 

It's not required that you use a 3rd party payment provider like PayPal, etc. - but you need to be PCI compliant if you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI compliance to grasp how serious it is to be PCI compliant.

My current employer is going through PCI compliance - it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws - Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.

OMG Ponies
+2  A: 

As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.

Having said that here are three things to consider:

1) Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.

2) If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).

3) States laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.

As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).

John Conde