Credit cards online. Security?

johnie

Hi. Using credit cards online is very common.

However, everybody says that it's better NOT to keep the cc numbers in a database, unless you have a very strong and secure system. I guess that shared servers are out of question.

But if we don't store the cc details in a database, how can we process them?
Sending the details by email through a script to the merchant and then delete them, is it a wise solution?

How do you deal with credit cards?

Thanks,
John

yelvington

This is why you use a secure online credit-card clearing house such as Cybercash that has the necessary security systems in place to qualify for online credit card processing. In fact, if you read the merchant agreement, you'll discover that the merchant typically is NOT allowed to directly accept credit cards online.

Mordecai

Make sure you connect by HTTPS when sending cc info. Also, make sure to encrypt the information on your database (you can't hash it because you couldn't get it back, though). Use a very large salt (like 10+ characters).

jayc

With processors like Authorize.net, you simply POST the details to them through HTTPS and get a response back from them and process it accordingly. So there really isn't any need to keep the CC details.

johnie

But not everybody uses online credit-card clearing houses. There are people that have the machines to validate the cc they get without paying commisions to others. There must be another way beside clearing houses.

Of course they are using SSL but what happens from there on. Can this data be sent by email to the merchant? Is this secure?
And how do you encrypt it in the database if you decide to store it?

John

jayc

You've got to pay a percentage to a company either way for them to process them. It's only about 2.2% for doing it online plus a small transaction fee. I'd rather do that than take a risk of having my customer's CC's stolen.

johnie

Ok guys.
But what else can someone do except online clearing?

jayc

You could encrypt it using something like GnuPG when it is received and then either e-mail it to yourself and decrypt it with your private key.

superwormy

If you accept the card over SSL, and encrypt it, it should be reasonably safe to store that information in a database.

Note also that you SHOULD NOT send unencrypted credit card numbers over e-mail, because e-mail is no where near secure.

ednark

ok the basic idea is that you must get the info directly from the user in a form, and once used, do not store on your server unless you are sure its as secure as you can make it

you simple have to ask the user to fill in a form every time you want their creditcard number

johnie

Ok ednark.
The user fills in the form. Now what happens if:
1. I don't use an online cc processor and
2. i don't want to keep the cc in the db?

If i decide to store it in the db, which is the best way to do so?

John

ednark

make sure your host is secure... which is hard to verify you aren't maintaining it... and hard to do if you are, since you need to spend all your time on bug lists and in-the-know to get the most up-to-date patches on all the programs on the system.

make sure that no common files are shared with any other webserver.

make sure any and all calls to sql from php based upon form values are checked for hacks - means removing certain characters like ;

make sure the password to your database is well hidden so no accidental dump of file access could expose it over the web.

make sure the human factor is taken care of. the people who could possibly have access to your database are regulated closely... again hard to do if you have some company hosting your site.

all of this is pretty vague advise i admit. so maybe others have some ideas on specifics that might be relevent...

why would you want to keep peoples credit card numbers if you are not processing them right away?

superwormy

Originally posted by johnie
Ok ednark.
The user fills in the form. Now what happens if:
1. I don't use an online cc processor and
2. i don't want to keep the cc in the db?

If i decide to store it in the db, which is the best way to do so?

John

store it encrypted in the database

make sure your scripts are reasonably secure

never show the card number on an HTML page that isn't using an SSL connection

BeastRider

Originally posted by johnie
Ok ednark.
The user fills in the form. Now what happens if:
1. I don't use an online cc processor and
John

I work for a company that takes credit cards at its retail location as well as its internet site. I guarantee you that if you attempt to run your internet credit card transactions through your regular retail merchant account, you will be violating the terms of your merchant agreement, and they will become pissed at you, such that if you do it enough, they will pull your retail channel credit card authorization service. I am unaware of ANY credit card processor that does not have separate agreements for, and separate process to, process internet charges versus instore charges. The reasons are simple. In the store, you have the card, the customer, and all the additional ID you might ask for. This is not true of an online transaction.

There is only one way to store a credit card number safely in a database, and that is with strong encryption.

mystrymaster

The past company I worked for we actually stored the credit card numbers in 4 different places and each number was again encrypted by a 15 digit key.

Now while some may say a little extravagant(sp?) I would much rather err on the side of caution then get sued any day

superwormy

As a note too, as an extra security precaution as far as fraud, you should consider getting the 3 digit validation code off the back of the CC too.