saving credit cards for a website

[progman1010]

i have a need to save credit card numbers on a website i'm developing. What would be a good way of storing these securely?

i am open to any and all thoughts on this subject...

 

[silverhairbp]

IIRC, Visa and MasterCard (under the umbrella group PCI) forbid the retention of personal data that includes card numbers. (too much opportunity for fraud)

The banks through which the card transactions are cleared stand to face fines that can exceed $100,000 for infractions.

Suggest you get a copy of the PCI Data Security Requirements from visa.com for more details.

 

[Hondy]

that isn't correct, there are plenty of sites that retain this information - just not ALL of it. There are however certain stipulations such as not storing CVV numbers and encrypting your data.

So, in short store the details in an encrypted form- but I have to mention that if you are storing credit card details and aren't sure about the security then I would get some proper advice from a security professional as there are lots of nasties to worry about such as SQL injection and other issues. If the data is sufficiently encrypted then the data is useless to anyone that manages to lift it.

but as silver says, check the PCI docs

 

[progman1010]

good thoughts- i'm certainly not going to do this on my own i'm going to read up on SQL injection now...

 

[Hondy]

just make sure you sanitise all inputs to fields - only allow valid characters to be entered, for example credit card numbers require only numbers to be entered, there is no reason to allow punctuation to be entered in this field e.g. 1=1--' (if you read about SQL injection this will make sense)

You can also restrict SQL commands themselves such as drop, create etc if these words are found in a variable then discard them.

on a super scary note MS SQL often has a xp_cmdshell stored procedure and guess what that does if you manage to run it remotely...

Its not just form based SQL attacks you have to worry about when storing personal data its a whole website security exercise unfortunately!

So basically, speak to a security specialist or have them test your site for vulnerabilities when you think you are done. Then fix all the holes, then you can think about storing real data!



hope this helps!

 

[Hondy]

while I'm on the rant, try this free scan on your website from Qualys

http://www.qualys.com/forms/google/free_scan/index.php?lsid=6660

 

[Hondy]

erm, not sure if I can post that link actually, but I cant edit it. Anyway I got it off google for you.

Cheers

 

[progman1010]

great advice, hondy. i'm going to be finding a security expert then...

 

[Hondy]

oh, you will wish you never asked lol

There are actually products available such as Payment card vault from Oracle which does what you are trying to do for you - maybe this is the way forward.

But it all costs $$, I don't think its possible to store credit card info anymore without considerable investment due to PCI compliancy. If you don't follow their standard, Visa and Mastercard can fine you and cut you off which is never good for business.

Kinda sucks huh! good luck!