angelcool Posted December 19, 2008 Share Posted December 19, 2008 Hello community, Should I store CC numbers on my database? I am about 80% done developing a shopping cart, as of right know I am in the process to integrate the payment gateway, but I am not sure if to store CC numbers in the database. I lack experience, This is my first time integrating a payment gateway. I will appreciate a piece of advise from experience people in the field. Thank You Angel Cool PS: The link for my cart is as follows: http://gift-a-cup.10-network.net/shopping_cart/index.php Please note it is still under development. Quote Link to comment Share on other sites More sharing options...
zero118 Posted December 19, 2008 Share Posted December 19, 2008 Personally, I wouldn't store them at all. But if you decide that you need to, at the very least you should md5 hash them. Quote Link to comment Share on other sites More sharing options...
akitchin Posted December 19, 2008 Share Posted December 19, 2008 never. EVER. Quote Link to comment Share on other sites More sharing options...
ldrown Posted December 20, 2008 Share Posted December 20, 2008 Never store cc numbers on your server. What good does it do to hash a cc, you cannot retrieve them. Look at paypal. They can handle all the security issues and you have a lot less risk. Quote Link to comment Share on other sites More sharing options...
corbin Posted December 20, 2008 Share Posted December 20, 2008 I've heard there are legal implications with storing credit card numbers, although I don't remember exactly what the laws are. (It would vary from country to country of course.) I think here in the US, one must store CC numbers with a certain strength of two way encryption or something. I just remember there's some rule. Quote Link to comment Share on other sites More sharing options...
Eric_Ryk Posted December 20, 2008 Share Posted December 20, 2008 No, just use something like paypal or authorize.net Quote Link to comment Share on other sites More sharing options...
448191 Posted December 24, 2008 Share Posted December 24, 2008 Always. And setup external root access to your database server and post the password here as well. But seriously, I would just let the client enter the number and control everytime they want to pay something (that's provided you use CC gateway and not PayPal). That safeguards you from any potential session hijacking and fixation issues as well. Well not completely, but you make it a lot less interesting for I-slime to try it. Quote Link to comment Share on other sites More sharing options...
angelcool Posted February 14, 2009 Author Share Posted February 14, 2009 Let me drop the bomb! Guys, check this out: http://www.linuxquestions.org/questions/general-10/should-i-store-cc-numbers-in-my-database-691583/ Quote Link to comment Share on other sites More sharing options...
JohnnyMedic Posted February 15, 2009 Share Posted February 15, 2009 As stated above that is very unsafe. If you are going to be dealing with cc's; I would simply store the last 4 digits for customer verification. Furthermore, if you feel that you must store the cc's(which is a very unsecure idea); use encryption, such as the blowfish php class or some other scheme and store that info rather than the actual card #. If you are going to do this, make sure to keep that key off of your server on non .php files, etc. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.