In my country the online payments are not an old thing, the first time i saw a web application taking payments directly to a local bank account was last year.
So, Im a newbie coding web payment system.
My question is, what are the best practices to store creditcard information into the database...
I have many ideas: encrypting the creditcard, database security restriction, etc.
What have you done?
Keep paper documents with credit card numbers locked in a secure place (like a safe) when not in use. Electronic storage of credit card numbers is also common if, for example, you process recurring or repeat transactions. If you do this, you cannot store these files unencrypted.
In most cases, credit card information shouldn't be stored in the database at any time. Storing this information is not only a liability for security reasons, but it results in more compliance actions that need to be taken to be PCI-compliant.
Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions). Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed.
Storing credit card information poses a huge liability to you personally and / or your company. It's best not to take on this liability unless there is a really good reason or you have the resources to ensure data saftey. Check out the PCI compliance standards for further information.
DON'T DO IT
There is simply far too much risk involved, and you will typically need to be externally audited to ensure that you're complying with all the relevant local laws and security practises.
There are many third-party companies that do it for you that have already gone through all trouble of making sure their system is secure, that they comply with local laws and so on. An example in the US that I have used in the past is authorize.net. Some banks also have systems that you can hook into to store credit card data and process payments.
I realise the country you're in may not have as strict laws as the U.S., but in my opinion that's no excuse for rolling your own. When you're dealing with other people's money, the risk is just too much to warrant.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With