[SOLVED] Storing Credit Card Information [YES] or [NO]

[ndjustin20]

Hey Guys,

 

Have a question that has been plagueing me as of late.  Do I store credit card info or not?  If the answer is yes then what is the best and most secure way to store credit card information.  I have a secure server and a secure database so I was wondering what other precautions I should take specifically designed to keep people's credit card information secure.

 

Thank you for all replies and advice.

 

Justin ???

[revraz]

I would say a big NO unless you want to face a serious lawsuit if your DB ever gets hacked.

[The Little Guy]

If you want to store them, then you will more than likely want to make your OWN encode/decode scripts, so if it does get hacked the hacker will need to figure out your patterns for encoding/decoding.

 

Next You will want to encode your source code that contains the information on how you encode/decode credit card info.

 

You will want to store that encoder/decoder outside of the root folder, so it is not accessible via browser.

[ndjustin20]

You know that is funny     A lot of people have said that same thing....lets say I have a company that manages my server and physically views the logs keeping a tight eye on security.  Would your position still be don't do it?  I only ask as there are so many companies that do store this information and seemingly don't have problems.  I am torn between security and customer convenience.  Also, as most every single person on this site or in this forum are in some way, shape, or form an online customer.....what do you think about entering in your credit card information each purchase from a site or having the site keep the data stored for you???

[ndjustin20]

Thank you "The Little Guy",

 

I have been searching with google and this site and pretty much just going through any information I come across in regard to php or mysql encryption.  Are there any functions that anyone has used in the past that have worked really well for encrypting the credit card number.

[The Little Guy]

I think those sites store your credit card info in a cookie, that way it is on your computer.  But I am not sure.

[revraz]

I would prefer to enter it each time.

 

And from a Company standpoint, now you also have to manage when they expire, and if you don't and try to run it, you get rejections and if I recall correctly, you still get charged a transaction fee for running it even if it is expired.

 

Are you providing reoccuring services (monthly etc) or some type of store front?

[The Little Guy]

Thank you "The Little Guy",

 

I have been searching with google and this site and pretty much just going through any information I come across in regard to php or mysql encryption.  Are there any functions that anyone has used in the past that have worked really well for encrypting the credit card number.

 

Don't use PHP's built in encryption, use your own.

[revraz]

Hope you won't have to face something like this

 

http://www.bestsecuritytips.com/news+article.storyid+146.htm

[ndjustin20]

I am providing a storefront so that is why I was thinking inside their customer account I could store credit cards but have heard not to do this as it's a huge hassle and not worth the security risk.  I personally don't mind entering in my credit card information each time I purchase though I wasn't sure about other people so I figured I would ask.

[ndjustin20]

Hey revraz,

 

Yeah I remember that happening too.  I actually shopped there that christmas and had to cancel my accounts...so yep I am well versed in that particular incident      So the best idea is to not store the information it sounds like?

[The Little Guy]

yeah, not the best idea, have some other company do that, then you aren't responsible.