Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to save credit card data in a database?

I am working on an application in which it is required to store whole credit card numbers. Is this possible to do using any API?

I have read about Authorize.net's Customer Payment Profile option, but it gives only last 4 digits when you try to retrieve that payment profile.

I have also checked Braintree's v.zero API which gives first 6 and last 4 digits and also Stripe's customer creation option but it also gives only last 4 digits.

If there is no API available, the only way to store credit card numbers is to store those in house using PCI DSS??

like image 570
Saurabh Rane Avatar asked Jun 01 '16 21:06

Saurabh Rane


People also ask

Can we save credit card information in database?

In most cases, credit card information shouldn't be stored in the database at any time. Storing this information is not only a liability for security reasons, but it results in more compliance actions that need to be taken to be PCI-compliant.

How do I keep credit card information on file?

The credit card number must be filed in a secure location, in a safe or under lock and key. Credit card numbers must not be stored electronically, i.e. in a spreadsheet, database, or anywhere on a computer and/or network. Once the customer relationship is finished, the credit card number should be cross-shredded.

What is the role of database in credit card transaction?

Credit card billing systems store data in databases containing information about customers, credit plans, and items charged. Supermarket checkout systems store data in databases containing information about customers, products, and buying habits of their customers.


1 Answers

Disclosure: I work for Stripe

Yes, the ONLY way to store customer card information in-house is to do so in a PCI-compliant system. Any place you store them, and any way you handle them, MUST be PCI compliant.

One of the biggest gains from using a payment processor, like Stripe for example, is that they take care of the (very, incredibly, terrifyingly) hard work of PCI compliance for you. As part of that commitment, they're not going to release those credit card details that they work tirelessly to keep secure.

If you're willing to go through the rigors of becoming - and remaining - PCI compliant, you could collect and store the card numbers in a PCI-compliant way and use Stripe's API to create the card [0] and then make the charge. Do note that you MUST be PCI Compliant to make use of Stripe's API in this way, or you will be violating the Terms of Service.

If you can more fully explain what the application will be doing with the stored credit card numbers, maybe someone can suggest an alternative approach that doesn't require actually storing the card info locally.

[0] https://stripe.com/docs/api#create_card-source-number

like image 124
floatingLomas Avatar answered Oct 28 '22 03:10

floatingLomas