I need to save the credit card numbers and secret codes of users in the database in plain text ( consensus behind obviously ) for automatic operation made from the server.
Is there some problems ?
What do I need to be aware of?
+9
A:
Most credit card processing agreements that I have seen do not allow you to store the code from the back of the card.
There are other security implications of storing plain text credit card numbers, but storing the code is usually specifically disallowed by your agreement. You will need to read yours to make sure you can do that.
As for storing the credit card number, that is also usually a very bad idea. If your database is compromised, you will be held liable and it could cost you a lot of money.
Unless you have a very good reason to store the credit card number and have a very good team working on security, I would not recommend storing any credit card data.
Alan Geleynse
2010-10-15 17:54:40
+7
A:
Short answer, no, bad idea. You'd have to have SO many considerations that it's just not a good idea. Never mind that most agreements wouldn't allow you to anyway.
Authorize.net (just one example) will store credit card information so you can do rebills. It's a simple system that works very well and absolves you of any storage-related concerns.
bpeterson76
2010-10-15 17:57:20
+1. Terrible, terrible idea to store credit card information TJX had to pay out $10M because their database was hacked.
Adam Crossland
2010-10-15 18:07:49
+3
A:
The CVV code is used to verify that the card holder had the card at the time of the original transaction. Once you've verified that, you don't need it again, so don't store it.
All merchant account agreements that I know of specifically state that you must NOT store the CVV. This is for security reasons.
Using the CVV code on every automated transaction would be like saying that your automated system has the card in its possession at the time of the transaction, which I'm guessing is not the case.
You don't need it once you've verified it the first time. Definitely do not store it.
You are not allowed to store the credit card numbers in plain text.
Marcus Adams
2010-10-15 17:58:28
+1
A:
To @Jeff you should listen. If you are going to process credit cards, you should (I think must, but IANAL) comply with the Payment Card Industry Data Security Standard.
Randolpho
2010-10-15 17:58:46
+10
A:
PCI-DSS (Payment Card Industry Data Security Standard) absolutely prohibits card details to be persisted to disk in plain text. Further, the 3 digit Card Security Code (4 digits on Amex) cannot be stored post-authorization, and ideally you should only keep it in memory until authorization is complete.
PCI states you can store at most the first six and last four digits in plain text. The requirements for printed receipts are different, there you can only print the last four digits at most.
PCI doesn't get much easier if you want to try and encrypt the details before persisting them. You need to consider key management, key rotation, split keys. Further you would need to undergo yearly onsite audits over your internal network security, and quarterly audits of your public network. Net cost will easily run into $thousands.
In summary. Don't even think about it!
PaulG
2010-10-15 18:30:46