Menu
I want to allow my customer users to enter their credit card information so that I can charge them every month.
I wonder how one should save this information?
Should it be saved in the MySQL database ("user" table) or is this kind of information too sensitive and need to be stored in another place?
I have no experience of this and would be glad if someone could advice me how to accomplish this.
Thanks.
625
In most cases, credit card information shouldn't be stored in the database at any time. Storing this information is not only a liability for security reasons, but it results in more compliance actions that need to be taken to be PCI-compliant.
The credit card number must be filed in a secure location, in a safe or under lock and key. Credit card numbers must not be stored electronically, i.e. in a spreadsheet, database, or anywhere on a computer and/or network. Once the customer relationship is finished, the credit card number should be cross-shredded.
Credit Card Data: What is Allowed to be Stored This data includes the 16-digit primary account number (PAN), as well as cardholder name, service code, and expiration date. Traditionally, this data is located on the front of the card (EMV chip data is not Cardholder Data and cannot be stored after authorization).
As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.
Having said that, here are three things to consider:
1) Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.
2) If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).
3) State and country specific laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.
As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
