I need to save the credit card numbers and secret codes of users in the database in plain text ( consensus behind obviously ) for automatic operation made from the server.
Is there some problems ?
What do I need to be aware of?
To answer briefly, yes, merchants can store credit card information. The long answer is that merchants must be PCI compliant to store their credit card data. However, there's also some data you can keep and some you can't make sure you securely handle your customers' credit card information.
Even if data is encrypted, you can NEVER store: Card validation value (CVV), also known as three/four-digit service code or card security code.
The credit card number must be filed in a secure location, in a safe or under lock and key. Credit card numbers must not be stored electronically, i.e. in a spreadsheet, database, or anywhere on a computer and/or network. Once the customer relationship is finished, the credit card number should be cross-shredded.
PCI-DSS (Payment Card Industry Data Security Standard) absolutely prohibits card details to be persisted to disk in plain text. Further, the 3 digit Card Security Code (4 digits on Amex) cannot be stored post-authorization, and ideally you should only keep it in memory until authorization is complete.
PCI states you can store at most the first six and last four digits in plain text. The requirements for printed receipts are different, there you can only print the last four digits at most.
PCI doesn't get much easier if you want to try and encrypt the details before persisting them. You need to consider key management, key rotation, split keys. Further you would need to undergo yearly onsite audits over your internal network security, and quarterly audits of your public network. Net cost will easily run into $thousands.
In summary. Don't even think about it!
Most credit card processing agreements that I have seen do not allow you to store the code from the back of the card.
There are other security implications of storing plain text credit card numbers, but storing the code is usually specifically disallowed by your agreement. You will need to read yours to make sure you can do that.
As for storing the credit card number, that is also usually a very bad idea. If your database is compromised, you will be held liable and it could cost you a lot of money.
Unless you have a very good reason to store the credit card number and have a very good team working on security, I would not recommend storing any credit card data.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With