Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best practices to store CreditCard information into DataBase

Tags:

security

database

mysql

database-design

credit-card

In my country the online payments are not an old thing, the first time i saw a web application taking payments directly to a local bank account was last year.

So, Im a newbie coding web payment system.

My question is, what are the best practices to store creditcard information into the database...

I have many ideas: encrypting the creditcard, database security restriction, etc.

What have you done?

like image 874
Garis M Suero Avatar asked Jun 08 '10 23:06

Garis M Suero

People also ask

What is best practice when storing payment card information?

Keep paper documents with credit card numbers locked in a secure place (like a safe) when not in use. Electronic storage of credit card numbers is also common if, for example, you process recurring or repeat transactions. If you do this, you cannot store these files unencrypted.

Can we save credit card information in database?

In most cases, credit card information shouldn't be stored in the database at any time. Storing this information is not only a liability for security reasons, but it results in more compliance actions that need to be taken to be PCI-compliant.

What credit card information should not be stored?

Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions). Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed.

Can I store credit card information on my website?

Storing credit card information poses a huge liability to you personally and / or your company. It's best not to take on this liability unless there is a really good reason or you have the resources to ensure data saftey. Check out the PCI compliance standards for further information.

1 Answers

DON'T DO IT

There is simply far too much risk involved, and you will typically need to be externally audited to ensure that you're complying with all the relevant local laws and security practises.

There are many third-party companies that do it for you that have already gone through all trouble of making sure their system is secure, that they comply with local laws and so on. An example in the US that I have used in the past is authorize.net. Some banks also have systems that you can hook into to store credit card data and process payments.

I realise the country you're in may not have as strict laws as the U.S., but in my opinion that's no excuse for rolling your own. When you're dealing with other people's money, the risk is just too much to warrant.

like image 64
Dean Harding Avatar answered Oct 17 '22 08:10

Dean Harding
Sign in to Comment

Related questions

What user should own /usr/local/mysql on Mac?
sql query with multiple where statements
How different is PostgreSQL to MySQL? [closed]
PHP Connection failed: SQLSTATE[HY000] [2002] Connection refused
Invoking a PHP script from a MySQL trigger
MySQL vs. JSON - Why? [closed]
virtualenv, mysql-python, pip: anyone know how? [duplicate]
How should unix timestamps be stored in int columns?
MySQL wait_timeout Variable - GLOBAL vs SESSION
Sequel Pro Alternative for Windows [closed]
Selecting multiple columns/fields in MySQL subquery
SQL unique varchar case sensitivity question
Running a .sql script using MySQL with JDBC
Rails, MySQL and Snow Leopard
How can I rebuild indexes and update stats in MySQL innoDB?
How to start MySQL with --skip-grant-tables?
MySQL. Can't create table errno 150
MySQL LEFT JOIN 3 tables
MySQL Workbench: how do I set up "ON UPDATE" and CURRENT_TIMESTAMP?
Detecting locked tables (locked by LOCK TABLE)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!