STORING credit cards

Anon

Hey everyone, I'm curious what everyone thinks of this issue. I'm helping build a site that will store users' credit card data for future usage---right now we encrypt the #'s and e-mail them to an off-site computer that stores them in an Access database. Is it recommended to use this approach, or do people generally think that storing the credit card #'s in a MySQL database (encrypted with GPG) is a strong enough solution? My worry is that any hacker with enough know-how and computer skills can grab the database and spend however long he wants trying to break the encryption. Suggestions?

Thanks,

Mike

[deleted]

More to the point: are you legally allowed to store this data in the first place?

Anon

Assuming we are allowed to store the data, what is the answer to the question?

Anon

Just my personal thoughts, but e-mailing the results to another address (even encrypted) is worse than simply leaving them stored (encrypted) on the host system assuming you are using SSL to get the information.

It is much easier to sniff out e-mails than it is to break into your database (if set-up properly) and get them. Thus, you at least have 1 line of defense prior to the encryption.

The method our firm has used is to use SSL for gathering the credit card information, then sending a simple notification e-mail to the admin letting them know a new "order" was placed and a link to the online system. Again using SSL, the admin logs into a secure site to view the information.

John

nagasea

No ! you're not allowed to store someone creditcard number in your server.
if you want to do that, you should contact verisign before doin that.
this is very important issues

jcornett

Naga,

What if you are not using any online CC processing via VeriSign or AuthorizeNet? I have many clients that have an existing merchant account that do not offer an online solution, so we store the CC information in the database for later retrieval and manual processing.

This is perfectly legal as long as you post information on your site about your privacy policy and such... You are authorized by the fact that the client is inputting the information online, thus it is implied that you keep that information on site as well. (at least that is what our lawyer has stated)

nagasea

I think u can do it.
At least kept the CC number in very secure place.