Saving credit card information in MySQL database? [closed]

Asked 25/7, 2010 at 11:4 Answered 25/7, 2010 at 22:12

Solved mysql database credit-card pci-compliance pci-dss

I want to allow my customer users to enter their credit card information so that I can charge them every month.

I wonder how one should save this information?

Should it be saved in the MySQL database ("user" table) or is this kind of information too sensitive and need to be stored in another place?

I have no experience of this and would be glad if someone could advice me how to accomplish this.

Thanks.

Alysiaalyson answered 25/7, 2010 at 11:4 Comment(3)

Depending on the laws that apply to the place where you operate your business, it may even be illegal to store credit card numbers in this way. Be careful, talk to your bank and/or legal representation. – Galbreath 25/7, 2010 at 11:14

are it is legal ? in mostly cases we use Paypal and ccavenue to online transaction. if you stored Credit card information that you need much more security on them. – Verrocchio 25/7, 2010 at 14:40

Don't. (My opinion as a programmer and as a buyer.) – Killigrew 25/7, 2010 at 19:18

As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.

Having said that, here are three things to consider:

Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.
If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).
State and country specific laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.

As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).

Grieco answered 25/7, 2010 at 22:12 Comment(4)

Where is the best place to find local laws? – Yongyoni 26/9, 2013 at 14:26

Very helpful information John. – Homoiousian 15/3, 2015 at 1:9

Square.com has a neat API. They will store card info in a PCI-compliant way for you. – Beitch 30/7, 2016 at 11:24

How does the payment processor/payment gateway store the credit card information? They follow the PCI guidelines as well as country specific laws? What if e.g. a company providing an online service is in England and the customer who buys the online service is from Germany and uses a credit card issued by a local German bank? Which laws should the English company follow? The laws from Germany, England or both? Thank you! – Palmapalmaceous 31/5, 2020 at 10:26

The safest way is to NOT store the credit card information on your system, but let a 3^rd party payment provider do it for you.

Fluoresce answered 25/7, 2010 at 11:22 Comment(10)

how? which ones? could u give me some more information – Alysiaalyson 25/7, 2010 at 11:27

That way all the legal issues will be with the 3rd party. – Flaunty 25/7, 2010 at 11:47

+1 - unless your client is PCI Compliant, www.pcicomplianceguide.org/pcifaqs.php, then don't do it. You could be getting you and your client into a world of hurt. Use a payment processor like PayPal (but their fees are outrageous), GoogleCart, Authorize.net – Lazes 25/7, 2010 at 14:16

@ZippyV: how will it work then paypal store the CC information? if i have a user with username "[email protected]". how could i retrieve the CC information stored in Paypal for using it with other payment services? i dont get the coupling. could u please explain? – Alysiaalyson 25/7, 2010 at 15:17

Paypal doesn't give you access to his CC information because you don't need it. When 'peter' says on your website that he wants to subscribe to service A you redirect him to the Paypal website and submit other information like his username, the name of the service and the price he must pay. The only information you get (and need) from Paypal is if the transaction succeeded or not. – Fluoresce 25/7, 2010 at 15:45

@ZippyV: But then the problem is that he has to retype the information everytime he is buying something from me? Or does he need to have a Paypal account then? Cause i know Spotify doesnt have it like this. I wonder how they do. – Alysiaalyson 25/7, 2010 at 16:17

You said in your question that you want to bill every month. I assume that's a subscription and Paypal supports recurring fees. Having a Paypal account makes it easier but it's not necessary for the customer. – Fluoresce 25/7, 2010 at 21:9

@ZippyV. if the customer doesnt have a Paypal account, then he has to enter the CC information each time for one-time-buys? – Alysiaalyson 26/7, 2010 at 4:8

Yes, he will have to enter his cc information each time. – Fluoresce 26/7, 2010 at 9:25

What about the third party payment provider? They store that information somewhere somehow, right? – Palmapalmaceous 31/5, 2020 at 10:22

It's not required that you use a 3rd party payment provider like PayPal, etc. – but you need to be PCI compliant if you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI compliance to grasp how serious it is to be PCI compliant.

My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.

Talmud answered 25/7, 2010 at 18:54 Comment(0)

Recommended topics

Hot tags