Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing Credit Card Number - PCI?

What are the PCI rules to follow for storing credit card numbers in a database?

1) is this allowed? 2) if so, what rules do we have to follow?

Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php which document should I be reading here?

like image 247
001 Avatar asked Nov 29 '10 04:11

001


People also ask

Is credit card number PCI data?

What Credit Card Data Does PCI Allow to Store? Organizations that verify that data designated as Cardholder Data can be stored are allowed to do so (CHD). The 16-digit main account number (PAN), cardholder name, service code, and expiration date are all included in this information.

Can you store credit card numbers?

Never Store Electronic Track Data or Card Security Number (PINs). While you may have a business reason to store credit card information, PCI DSS specifically prohibits storing a card's security code or any “tracking data” contained in a magnetic stripe on the back of a credit card.

Are merchants allowed to store credit card information?

The standards allow merchants to store your account number, your name and the card's expiration date according to the above guidelines. However, the body frowns on a merchant's storing a card verification value (CVV) or personal identification number (PIN).

Are last 4 digits of credit card PCI?

PCI Rule 3.3The maximum that can be displayed are the first six and last four digits. The full PAN can only be displayed for those users whose roles include a legitimate business need to view the full PAN. This requirement applies to displays of PAN on screens, paper receipts and other printouts.


1 Answers

1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better.

2) You have to follow the PCI rules outlined in this guide. But you may find this guide easier to understand. Go to page 14 for what you need to know. Basically you can store it but it has to be encrypted according to PCI standards. Your server and network also must be secure. If any piece of the puzzle is not PCI compliant you cannot store the credit card numbers. That rules out most shared hosting companies as a solution.

like image 159
John Conde Avatar answered Sep 23 '22 04:09

John Conde