Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I save credit card secret code in the database?

I need to save the credit card numbers and secret codes of users in the database in plain text ( consensus behind obviously ) for automatic operation made from the server.

Is there some problems ?

What do I need to be aware of?

like image 904
xRobot Avatar asked Oct 15 '10 17:10

xRobot


People also ask

Is it legal to store credit card information in database?

To answer briefly, yes, merchants can store credit card information. The long answer is that merchants must be PCI compliant to store their credit card data. However, there's also some data you can keep and some you can't make sure you securely handle your customers' credit card information.

Can you store CVV code?

Even if data is encrypted, you can NEVER store: Card validation value (CVV), also known as three/four-digit service code or card security code.

Can you keep credit card numbers on file?

The credit card number must be filed in a secure location, in a safe or under lock and key. Credit card numbers must not be stored electronically, i.e. in a spreadsheet, database, or anywhere on a computer and/or network. Once the customer relationship is finished, the credit card number should be cross-shredded.


2 Answers

PCI-DSS (Payment Card Industry Data Security Standard) absolutely prohibits card details to be persisted to disk in plain text. Further, the 3 digit Card Security Code (4 digits on Amex) cannot be stored post-authorization, and ideally you should only keep it in memory until authorization is complete.

PCI states you can store at most the first six and last four digits in plain text. The requirements for printed receipts are different, there you can only print the last four digits at most.

PCI doesn't get much easier if you want to try and encrypt the details before persisting them. You need to consider key management, key rotation, split keys. Further you would need to undergo yearly onsite audits over your internal network security, and quarterly audits of your public network. Net cost will easily run into $thousands.

In summary. Don't even think about it!

like image 55
PaulG Avatar answered Sep 21 '22 18:09

PaulG


Most credit card processing agreements that I have seen do not allow you to store the code from the back of the card.

There are other security implications of storing plain text credit card numbers, but storing the code is usually specifically disallowed by your agreement. You will need to read yours to make sure you can do that.

As for storing the credit card number, that is also usually a very bad idea. If your database is compromised, you will be held liable and it could cost you a lot of money.

Unless you have a very good reason to store the credit card number and have a very good team working on security, I would not recommend storing any credit card data.

like image 24
Alan Geleynse Avatar answered Sep 20 '22 18:09

Alan Geleynse