Storing CC Info ...

jtown

I am creating a few registration pages where the user will need to enter their CC information to be temporarily stored in a database. I know storing any CC information is bad, but what are some other options?

Would sending the CC info in an email to me and not storing it in the db be better? The CC transaction will be processed by hand via me. Otherwise my only other option is to store it in the db and erase it after I've completed the xaction.

SpanKie

You should never store CC info period. And sending a CC number through email is even more crazy without any type of encryption.

I would leave all the CC processing up to a provider such as VeriSign, etc...

jtown

What if I don't need the number to be processed, but I just need for myself to someone call in that transaction with their information. Does Verisign have something like that?

Kudose

I dont know how safe this altrenative is, and I would appreciate it if someone told me.

What about using an SSL page to write the data to a file outside of the public folder.

MikeSnead

Can't you just store an encrypted version of the number and just decrypt it when you need it?

mtmosier

If you store the cc's outside your public directory, what happens when someone hacks into the server?

If you want to deal with the security hassles you can encrypt them. But if you are going to process or store credit cards (even encrypted), then you need to spend some time reading about Visa cisp. Trust me, it's not fun.

justsomeone

I don't understand why you need to store the credit card number.

OPTION 1
I think you're trying to use it to identify the transaction? If that's the case, you probably don't need to store the full number. How about storing the first and last four digits? For two cards to share that info is rare enough for it to probably be useful enough for you to use. But it's not enough info for someone to be able to reconstruct the whole number.

OPTION 2
If you absolutely, positively have to store the whole credit card number (and, trust me, if you do, you're solving the wrong problem), then you're taking a lot of responsibility on your shoulders.

If you only want to use the CC number as some sort of identifier, then use a strong one-way encryption algorithm and only store / search for the encrypted version. of course even this isn't great as a hacker could gain access to your site, take a copy of the encrupted numbers and try cracking them at his leisure.

OPTION 3
If you want to be able to extract the CC numbers, then you're in a whole new level of responsibility. I've only ever dealt with that situation once. In that case, a strong public/private key system was used over multiple servers. The web server encrypted the credit card details using a public key and passed them over a secure connection, through a firewall, to a separate secure server which had no publicly accessible ports.

To extract the CC number, you needed access to the secure server and knowledge of the private key. Knowledge of the private key was only available after a challenge response.

In that case, to extract the CC number a hacker on the web would need to compromise the web server, compromise the firewall between the web server and the secure server, compromise the secure server and crack a challenge response system. All without being detected.

Of course each of the above options would require you to keep all server software bang up to date with patches so that you're not running with any known vulnerabilities.

Also, once you store cc numbers, you need to bulletproof any forms on your site to make sure that people can't inject SQL to compromise your database.

Do you feel lucky??

jtown

So the other way is to go with verisign and accept the full CC transaction and not have my staff process them manually?

justsomeone

...absolutely. Of course, verisign is just one company - there are others. Shop around for the payment service provider who suits you best.

When shopping around, weigh up the level of service they provide to you, how much it will cost you to integrate their system into yours, how much they charge per month / per transaction, how they handle chargebacks/refunds, what (if any) protection they offer you from fraudulent transactions, anything you've heard from other people who use their services... and so on.

Then, when you've integrated your chosen provider, you can relax in the knowledge that your customers' financial details are not on any of your systems.

jtown

What are some other companies that you guys have heard good things from?

Weedpacket

Your own bank might provide such a service.

justsomeone

i've had good experiences with worldpay www.worldpay.com - simple secure interface

liquorvicar

i used to use WorldPay - they were OK but a bit on the pricey side.

we now use ProTX as a PSP with our own acquirer. works out much cheaper. ProTX are not perfect but generally no worse then WorldPay were.

jtown

Ya I need a PSP that can accept level 2 CCs.

Keep the names coming! Thanks again.

devinemke

i highly recommend Verisign Payflow Link.