Best way to store CC#'s

Anon

Im in the last stages of developing a shopping cart system that Ive written in PHP with a mySQL database. Im stuck on the most secure way to store credit card #'s.

I have already gotten a secure certificate from Verisign, so I am pretty confident that the data is getting from the customer to my server securely (which is in-house, on the LAN), however, Im a little weary about how to store this credit card number so our staff can receieve it and process it. We already have a credit card processing machine here, so I didnt want to use any additional processing services.

This info is going to be retrieved thru the LAN from the mysql database, so Im not worried about the security of the transmission of the data from the server to a workstation, Im concerned if the Mysql database is compromised. Ive read other threads about PGP and PHP encrypt functions. What is my best choice at a decent price?

Thanks

Anon

another idea i had...We have an Exchange server running in house, can I email the credit card number to our staff, that way it isnt stored anywhere? The email would not go outside the LAN, so it wouldnt be vulnerable to open eyes..correct?

[deleted]

The only safe way to store CC#'s is to not store CC#'s. No database is safe, and mysql is a far cry from secure, let alone reliable.

Surely your CC processing unit can process the data on-the-fly when a purchase is made?

[deleted]

"can I email the credit card number to our staff,"

aaaah! 🙂

"The email would not go outside the LAN, so it wouldnt be vulnerable to open eyes..correct?"

Until someone makes a mistake (or Exchange messes up) and you end up sending private data all around the globe.

rontgoff

A lot of insurance companys will drop a company if storing cc info because that is a huge liability. I don't worry about the cc info I record all the contact info. If you are not using a credit card processor you should its easier and less of a security hazard.

rontgoff

one other thing alot of banks now offer internet cc processing along with their standard cc processor. Bank of America has a very good system and is worth looking into. You could really be setting yourself up for huge headaches if you do it yourself.
www.bamart.com

[deleted]

Indeed, those online creditcard services are pretty nifty. Your site builds the order, takes a few user details, and then posts the entire order to a secure page on the bank's site. Most of them even let you define the layout of their page, making it look like part of your own site.

great stuff.

rontgoff

One thing the bank of america cc process will do templete style checkout or use your own design this is what it does. (on Site)Cart -> Shopper Info -> CC info ->(off Site)CC process no page displayed sent back to either a accepted or declined page back on your site)->Accepted page or Declined page.

This is the way i would go because the user never sees a change in the address bar they stay on your site the whole time. I don't like leaving the site because the way the bank have set up their pages they are very templete driven and thats not good.

Anon

DON'T STORE THEM. DO NOT STORE THEM! You can just use them to do the transaction and then discard them.

If you do not understand all the security issues involved (which, no offense, you don't) then do not store them! Especially don't store them in Exchange.

If for some reason you need to store them, hire a security expert, read bugtraq, keep all servers fully patched up, use an offline credit card store, use public key encryption, use physical security, swipe cards, etc.

Chris

Anon

Thanks for all your input. I decided to go with Verisign's Payflo Link service. For the minimal monthly charge, now I have piece of mind.