Storing Credit Card Number - PCI?

Asked 29/11, 2010 at 4:26 Answered 9/1, 2013 at 0:12

Solved database credit-card pci-compliance pci-dss

What are the PCI rules to follow for storing credit card numbers in a database?

1) is this allowed? 2) if so, what rules do we have to follow?

Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php which document should I be reading here?

Soldier answered 29/11, 2010 at 4:26 Comment(4)

Try searching stackoverflow.com for "pci compliance". You'll get more than a bargain. – Danaus 29/11, 2010 at 4:29

Do you really want to, even if it's allowed? The inconvenience of users having to re-enter them is small compared to the headaches securely storing them gives. And I think most users don't like websites storing their card number either. – Carpo 29/11, 2010 at 14:47

If you believe you security is as good as someone like Amazon, store it. It is very convenient and it does make me more likely to buy. Doesn't really answer your question but I thought I'd say your model can be good. – Bond 29/11, 2010 at 15:12

@Johnny - The thing is you don't need to. Authorize.net and Braintree, and I'm sure most of the other major gateways by this point offer secure vaults where you don't have to worry about PCI compliance, but you can still access the card for purposes of charging your account. – Callus 9/2, 2011 at 23:40

1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better.

2) You have to follow the PCI rules outlined in this guide. But you may find this guide easier to understand. Go to page 14 for what you need to know. Basically you can store it but it has to be encrypted according to PCI standards. Your server and network also must be secure. If any piece of the puzzle is not PCI compliant you cannot store the credit card numbers. That rules out most shared hosting companies as a solution.

Clavius answered 29/11, 2010 at 14:37 Comment(2)

+1. Just wanted to comment though that encryption is the easy bit, and anyone wanting to tackle this shouldn't underestimate the difficulties with encryption Key Management. – Binns 30/11, 2010 at 14:29

If you are going to store credit card numbers, you also have to be concerned with all types of access to the server, including physical. I did operations for PCI compliant servers at a large company and we did the following: CC numbers were encrypted (sure), access to the database server was limited to the web servers' IP addresses and the IP addresses of the operations team's IP addresses (I couldn't connect from home or even a different building), and the server was in a locked cage (literally had a chain and lock on it). Even if I got into the DC, I couldn't access the machine. – Kenna 26/8, 2015 at 18:59

This is not a direct answer, but a suggestion. Please don't downvote; I'm just trying to be helpful. After much experience with PCI compliance, I strongly suggest you avoid having credit card information on your systems if at all possible.

The approach we have used (with great success) is Tokenization. There are services that will collect and store your credit card information for you. You make an API call to get a token, generally a hash of some kind, which represents the credit card's primary account number. When you want to bill the card, you pass the token and other transaction details, and they process they payment.

Here is an straightforward article about the process: http://www.creditcards.com/credit-card-news/tokenization-to-fight-credit-card-id-theft-1282.php

There are lots of options for this these days:

For more information on that approach you can use the Google Search: Credit Card Tokenization.

Dubious answered 18/1, 2012 at 16:50 Comment(4)

It's not a direct answer, but IMHO has great value as an alternative approach. +1 – Latricialatrina 18/1, 2012 at 17:54

I added Adyen to the list of Tokenization Payment providers December 2106. I have not used them personally, but I noticed in my JetBrains account today that this is who JetBrains uses. As one of the (IMHO) top developer tools providers, I would ASSUME they have properly vetted Adyen for security. – Dubious 29/12, 2016 at 17:48

We were using tokenization but its a nightmare when you want to migrate to a different credit card processor. – Justen 3/8, 2019 at 7:52

@Justen I can really see where that would be the case. I guess you have to weigh that against the potential nightmare of managing concrete credit card data yourself. Unless I was working for a financial institution with a very competent department dedicated to security, I still think I would prefer tokenization. Still, your situation and mileage will vary. Good luck. – Dubious 5/9, 2019 at 17:55

You can but it's expensive to do.

You need to have DNS provided by another service or a dedicated DNS server.

You need to have a dedicated server running your SQL Server database and nothing else.

You need to use PCI approved software.

Your Database server needs to be within the same Data center as your Web Server else you will have poor performance.

So it's best to either host your site on a PCI secure host or setup your servers as I described.

Bartram answered 9/1, 2013 at 0:12 Comment(1)

What has DNS got to do with this? – Justen 3/8, 2019 at 7:51

Recommended topics

Hot tags