Thoughts on storing credit card data for an instance?

[dadamssg87]

I'm developing an e-commerce website. It's integrated with authorize.net. Once a customer submits their payment information i encrypt(MCRYPT_RIJNDAEL_256)  that data(first name, last name, address, city, state, zip code, but NOT the card number or exp date) and store it in a session. My sessions are stored in a database table. I do this so i can repopulate the form if authorize.net encounters an error and also i keep it just long enough to send a receipt email with the customer information on it. Once the submission is successful and the email gets sent the data gets wiped. So it all happens pretty much instantly.

 

With an SSL cert i feel like this shouldn't raise any security concerns. Your thoughts?

[Adam]

You need to conform to PCI standards if you're going to be processing transactions (even if using a third-party gateway) and storing card information. Just because you're using SSL, doesn't mean there aren't vulnerabilities in your system. It doesn't even need to be a vulnerability as such, just leaked private information into the wrong hands -- consider an error email with a backtace exposing the customer's card details). If there are and the bank companies suffer any form of damages, they will prosecute you. In certain places it's as good as a law anyway.

 

Card data for example *always* has to be encrypted. Also you should never send full card information via email, just the last few characters of their card number instead so they can recognise it. By storing the information on your own servers, whether it be temporary or permanent, you open yourself up to a lot more requirements.

 

I imagine you will fall under merchant level 4 (less than 20,000 Visa transactions a year), so you should complete a self-assessment ASAP and start working towards compliance. You've got some reading to do.

[dadamssg87]

Yeah i think i'm going to change that(storing cardholder data in my db even if it is only for an instance). I think i'll rework it to use POST data in the emails instead of session data.

 

That should be way less risky.

 

Also, LiquidWeb has a PCI compliant hosting solution. Its an extra $50/mo. They take of scanning and maintaining and updating the server. I'd do it myself i just don't know anything about running a server.