Storing Credit Card Information in Database
I've been reading alot about security issues and I have a concern about storing Credit Card information in a database and that it shouldn't be done.
However, I am having a problem on what to do with an application I am creating for a client.
The application will get user information, along with Credit Card info. The information will be stored in a database until an administrator reviews the input and accepts it. If it is accepted, the credit card will be charged.
So how do I go about saving the credit card information if I don't store it in at least a temporary database until the other information is approved and reviewed? Once it is approved, it can be deleted from the database.
How should I do this correctly? (Using PHP)
I would strongly encourage you to find a solution that does not require that you store credit card data, as the consequences of mishandling it can be severe. One alternative might be to make it a 2-stage process for the user:
1. They submit all their info except credit card info. The administrator reviews it and sets some database value for that submission if approved, which then also sends an email notification to the user with a link to the payment form.
2. The user receives the email, clicks the confirmation link, and is taken to the final payment form. At this point he probably has to log in using the user/password values established in the initial form(s). User enters payment info, your script processes it through your selected payment gateway, and upon payment approval the account is completely approved.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
How to Ask Questions the Smart Way
(not affiliated with this site, but well worth reading)
One of the requirements for storing credit card data on a database is that the database must be on a server behind a firewall where there is no internet access whatsoever to that server that would allow anything to be retrieved. You would nee dto have that set up in place and thoroughly tested before you even consider any of the other aspects of credit card processing.
The only way around that one is to have the page with the SSL certificate that collects the credit card data post it directly to the third party service which provides the credit card processing for you.
Is this from a legal stand point, or just your recommendation?
Originally Posted by felgall
Why would you need a firewall on a computer with no internet access?
Originally Posted by temp.user123
I believe that he meant computers from outside (aside from trusted computers) would not have access.
Originally Posted by MrCoder
There are all sorts of legal requirements for notification of users if there is any type of security breach involved. If you are running in a shared Linux environment, there is a much higher risk of a breach. Even if you have a dedicated server there are risks as well. It's best to trust the authorization to companies with high security than setting that same security up yourself.
Together, these surveys demonstrate the extreme cost consequence ($182 per record and an average of $4.8 million per incident based on an average of 26,300 records lost) of companies breaching the confidential data and underlying trust of their customers. With the single largest cost being customer turnover, the cost to brand and corporate reputation can be the most long-lasting effect.
In spite of these consequences, new breaches are reported every week. Though security best practices dictate the use of preventative technical solutions, most companies have not yet put such protections in place.
Do you have $182 to spend for every customer in your database in case of a breach?
Assuming everyone here's referring to the USA, the reference is the PCI (Payment Card Industry) DSS (Data Security Standard). If you go to https://www.pcisecuritystandards.org/ you can download the self-assessment questionnaire that applies to your particular environment (I think this particular case corresponds to environment type 5). If you look at questionnaire D, question 1.3, it discusses the network topology and separation, firewalls, DMZ which is required.
Originally Posted by MrCoder
By the way, it is NOT necessary to answer each of these questions with "YES". A "NO" answer must be explained, and can have appropriate compensating controls applied, and the scanning vendor may work with this compensating control, and the PCI approval may be given anyway if it's determined that your compensating controls are adequate.
Nogdog's suggestion is a sensible consideration. However you might loose sales and clients don't like that.
Another option is to process the credit card immediately using a 3rd party service like Worldpay and if approval fails, provide a refund. Problem is customers don't like that, but then who cares you just rejected them anyway, lol.
The very fact that you're here asking this question lead me to think that you really really ought to consider very hard if you're out of your depth. If it all goes horribly wrong, someone will be held accountable and I'll bet you can guess where the buck stops. If you've accepted this contract as a sole trader it's you personally legally and financially and the punishment can carry a jail sentence. I would hope you've set yourself up as a limited liability company and employed yourself and have insurance. This kind of thing is really heavy duty. It would be better to lose a client then be held accountable for any failure.
Are you hosting the service for your client? If so that's a whole other set of problems. You have to stay on top of security for both your scripts and hardware, and it's not something you leave to a shared hosting company. I don't think there are any companies that store CC detail that don't have their own servers in house. If anyone knows different let us know coz I don't want to use their services!
Last edited by SyCo; 11-07-2008 at 06:08 PM.
Anti Linux rants are usually the result of a lack of Linux experience, while anti Windows rants are usually a result of a lot of Windows experience.
I'd look at using a payment gateway - google it, there are a few and unless you've got loads of transactions a gateway is probably the best option.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)