mds1256 Posted August 31, 2010 Share Posted August 31, 2010 Not sure if this is in the right forum (if not can a mod move it please).... Im creating a site that is based on a subscription basis. Therefore i need to allow the user to input their card details for me to store to allow payments every month (and also for them to update when needed). How do you recommend storing card details in the database, im guessing its not secure just to store them as plain text? Opinions needed Quote Link to comment Share on other sites More sharing options...
jayarsee Posted August 31, 2010 Share Posted August 31, 2010 As it turns out, the credit card industry is very concerned about the answer to the question you're asking, and have accordingly set out the answer in a series of guidelines known as the "Payment Card Industry Data Security Standard" You can read more about that here: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard Whether you choose to adopt some or all of the PCI DSS, your instinct to not store this information in plain text is absolutely correct. All that stuff you hear about credit card and identity theft on the news? That comes largely from hackers figuring out a way to get the plaintext customer and payment information out of your database and sharing it with their criminal comrades on IRC. As a minimal precaution, encrypt the numbers and expiration dates with sha1() or stronger, and know that you're not supposed to ever store CVV2 codes (the numbers on the back of the card) as the whole purpose of this number is to confirm ownership of the physical card in transactions. Quote Link to comment Share on other sites More sharing options...
mds1256 Posted August 31, 2010 Author Share Posted August 31, 2010 Thanks for the info But..... when using the sha1(), how do i then decrypt them to use the details? other wise it may be useless to hold them details as i cannot then decrypt them Quote Link to comment Share on other sites More sharing options...
jayarsee Posted August 31, 2010 Share Posted August 31, 2010 Come to think of it I may have rattled off my response to the encryption method issue too quickly, I wasn't paying close enough attention to the original circumstances you described (involving subscriptions). The ideal implementation of two-way encryption/decryption is fraught with options of debatable merit: http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Symmetric_key_algorithm And I feel advising you on that would be beyond the scope of my (PHP-focused) expertise. I can, however, point you to the PCI DSS standard, which beyond storage in general has useful recommendations for the network infrastructure surrounding the storage of this information: https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf Quote Link to comment Share on other sites More sharing options...
mds1256 Posted September 12, 2010 Author Share Posted September 12, 2010 Thanks for the replies Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.