CC Storage

slevytam

Hello,

I was wondering if someone could educate me on the best way to store credit card numbers with mysql. Basically, for a person to sell on my site they need to have a cc registered with us.

First question. Does the number need to be encrypted in anyway? Or can it just be stored as a text or numeric field.

Second. Is it poor structure to store the cc number in the user table. Should I have a second table for this? 1 to 1 relationship?

Thanks,

--SL

superwormy

It doesn't NEED to be encrypted in teh database, but it would be nice if the CC# WAS, just in case someone else ever gains access to your database.

Lots of times people will give you more than one CC#, you'll have a CC# from them on their first order, then when they come back a year later they might not have that card anymore, or htey might just want to use a different one. So it might be a good idea to store CC# in a seperate table.

superwormy

Oh, and you coudl use either PHPs encryption functions ( www.php.net ) or MySQL has some built in ones as well.

slevytam

Sounds good. I'll look into those encrycption functions.

Thanks...

slevytam

Also, sortof related. Can you tell me whether session variables are considered secure? Could I store a cc number in a session variable to pass it to another page?

--SL

slevytam

And yet again on the first issue...

This is what my isp said.

Hello,

All MySQL traffic between the web server your site is located on and the MySQL server only crosses over our internal network, and the traffic is not transmitted across the Internet. Unfortunately, there is no encryption that takes place between the web server and the MySQL server as this feature is not support by MySQL.

To solve this problem, we recommend you do not transmit and/or store unencrypted credit card numbers in your database. You can encrypt the credit card information within your web application before the information is passed to your database.

Please let us know if you have any other questions or concerns, and feel free to contact us anytime. Thank you.

Can anyone tell me if php has an included feature which allows for two way encryption. I need to be able to encrypt and then decrypt the cc numbers.

Thanks,

--SL

Tracer

That basically repeats exactly what was stated above....

Use a seperate table...and the PHP encryption functions...that way only the crypt for of the number is transmitted to the db......

slevytam

Tracer,

I believe crypt is a one way function, not two way. It won't do me any good if I can encrypt the cc number and then not get it back. Thats why I asked if php has any built in two way encryption functions.

Sorry if I was unclear...

--SL

superwormy

http://www.php.net/manual/en/ref.mcrypt.php

PHP will need to be compiled with MCrypt support. Check its compile options with the phpinfo() function or ask your host.

Tracer

errr sorry about that.....when I referred to crypt I actually meant the cryptography functions in PHP...more specifically the Mcrypt function......

Sorry for the confusion.....

slevytam

Thank you. MCrypt should solve my problems

🙂