What are the PCI rules to follow for storing credit card numbers in a database?
1) is this allowed? 2) if so, what rules do we have to follow?
Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php which document should I be reading here?
What Credit Card Data Does PCI Allow to Store? Organizations that verify that data designated as Cardholder Data can be stored are allowed to do so (CHD). The 16-digit main account number (PAN), cardholder name, service code, and expiration date are all included in this information.
Never Store Electronic Track Data or Card Security Number (PINs). While you may have a business reason to store credit card information, PCI DSS specifically prohibits storing a card's security code or any “tracking data” contained in a magnetic stripe on the back of a credit card.
The standards allow merchants to store your account number, your name and the card's expiration date according to the above guidelines. However, the body frowns on a merchant's storing a card verification value (CVV) or personal identification number (PIN).
PCI Rule 3.3The maximum that can be displayed are the first six and last four digits. The full PAN can only be displayed for those users whose roles include a legitimate business need to view the full PAN. This requirement applies to displays of PAN on screens, paper receipts and other printouts.
1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better.
2) You have to follow the PCI rules outlined in this guide. But you may find this guide easier to understand. Go to page 14 for what you need to know. Basically you can store it but it has to be encrypted according to PCI standards. Your server and network also must be secure. If any piece of the puzzle is not PCI compliant you cannot store the credit card numbers. That rules out most shared hosting companies as a solution.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With