Should credit card numbers be stored as strings or ints?

Question

Yeah... just thinking about it...

Should I store credit card numbers that have been input on my site as strings or ints?

I mean, they're made up of numbers which makes me think it's an int... but I don't do maths on them, so maybe a string is more appropriate?

EDIT: So I have to store the number that's been input at some point, before I encrypt it. I probably should have been more specific - it's not like I'm saving them in the DB in clear text or anything - glad to see how conscientious everyone is :)

Answer 1

Neither. You should save them, at very least, as byte arrays encrypted with AES or equivalent using industry-accepted key storage.

Windows provides a lot of this via the Data Protection API: http://msdn.microsoft.com/en-us/library/ms995355.aspx

For your own sake and the sake of your customers, please learn the proper standards for encrypting financial credentials or hire someone who knows them.

Given your edit:

C# has a SecureString class that you should use. I don't believe that there is a Java equivalent, but I could be wrong.

EDIT: For posterity's sake...

Guidelines for storage, transmission, and processing of credit card details are defined by PCI DSS (Data Security Standards). Anyone considering how to architect their solution for managing credit card data should read about that here, and consult an industry expert: https://www.pcisecuritystandards.org/

Answer 2

Credit card numbers would be a string, I'm not positive but i feel like some cards can start with a 0 and you wouldn't want to lose any of those leading zeros. Also, you should encrypt that. If not, a malicious user may be able to snag card numbers through cookies, packet sniffers, and other things.