Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should credit card numbers be stored as strings or ints?

Tags:

java

c#

Yeah... just thinking about it...

Should I store credit card numbers that have been input on my site as strings or ints?

I mean, they're made up of numbers which makes me think it's an int... but I don't do maths on them, so maybe a string is more appropriate?

EDIT: So I have to store the number that's been input at some point, before I encrypt it. I probably should have been more specific - it's not like I'm saving them in the DB in clear text or anything - glad to see how conscientious everyone is :)

like image 203
Ev. Avatar asked Aug 26 '11 02:08

Ev.


2 Answers

Neither. You should save them, at very least, as byte arrays encrypted with AES or equivalent using industry-accepted key storage.

Windows provides a lot of this via the Data Protection API: http://msdn.microsoft.com/en-us/library/ms995355.aspx

For your own sake and the sake of your customers, please learn the proper standards for encrypting financial credentials or hire someone who knows them.

Given your edit:

C# has a SecureString class that you should use. I don't believe that there is a Java equivalent, but I could be wrong.

EDIT: For posterity's sake...

Guidelines for storage, transmission, and processing of credit card details are defined by PCI DSS (Data Security Standards). Anyone considering how to architect their solution for managing credit card data should read about that here, and consult an industry expert: https://www.pcisecuritystandards.org/

like image 106
Chris Shain Avatar answered Oct 06 '22 00:10

Chris Shain


Credit card numbers would be a string, I'm not positive but i feel like some cards can start with a 0 and you wouldn't want to lose any of those leading zeros. Also, you should encrypt that. If not, a malicious user may be able to snag card numbers through cookies, packet sniffers, and other things.

like image 44
Tony318 Avatar answered Oct 05 '22 23:10

Tony318