ASK HN: Best practices for storing Credit Card information
We run a hosted e-commerce app, and currently store credit card numbers, expirations and cvv2s as plaintext in the DB.
Questions for the community: 1. Is this a crime or criminal negligence? It should be ... 2. What are the best practices for storing credit card data in a secure, PII safe fashion? One way hashes? Last four only? Use some kind of vault service?
Please advise as I am ready to make this change yesterday. We do need to store the numbers somewhere for repeat customers ...
20 comments
[ 3.7 ms ] story [ 90.7 ms ] thread2) 2- or 3-TDES (http://en.wikipedia.org/wiki/Triple_DES) encryption; fully secure & restrict access to whatever database you use and whatever system holds the database; SSL connection (obviously).
having said all of that, is there a reason why you're not using something like paypal, amazon FPS or some other payment service? they kind of take the work out of this stuff by providing a secure way of accepting payments, including recurring stuff with stored CC#s.
i'm definitely not an expert, though, and the question was better addressed by someone else.
https://www.pcisecuritystandards.org/security_standards/pci_...
Once you reach a certain volume of transactions you are required to comply. Doing so now is probably not feasible if you're small, but you can still take the spirit of the standard and do your best.
Get the self-assessment questionnaire and work through it.
Encrypting columns, rows or tables in your database is trivial, pgcrypto will do this for you if have postgres. Or you can hack something together w/ http://php.net/openssl pretty easily. Whatever you do, don't try to write your own encryption routines, people will laugh at you and Moldovan teenagers will buy BMWs with your customers money.
Set up views so that non-finance personnel see the last four digits only, and those with a need to know can see the full PAN and have their accesses logged to an audit table that cannot be altered without superuser privileges.
Right now you can slide by, but in a few years your payment gateways and merchant banks are going to be insisting that even small processors have outside audits.
And according to the standard you should never store the cvv2 code, you should request it each time.
HTH
How are you supposed to take recurring payments?
But yes, you are not supposed to store the CVV2. Via http://en.wikipedia.org/wiki/Card_Security_Code#CVV2_limitat...:
Since the CVV2 may not be stored by the merchant for any length of time[2] (after the original transaction in which the CVV2 was quoted and then authorized and completed), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction.
They don't store credit cards anymore.
if you are not sure how to handle this stuff, please, for the sake of your customers, use a company that does know how to do it. companies like braintree (http://www.braintreepaymentsolutions.com/) have a secure vault service that lets you store credit card information on their servers which you then access on a per-charge basis using a token.
http://www.authorize.net/solutions/merchantsolutions/merchan...
I understand you want to save the cards for future purchases, but you should definitely give customers the option to input their card every time if they so desire. If you dont need the card in the future, theres no reason to save it. Most processing gateways will return a transaction id which you can use to take processing actions in the future. You can run voids, refunds or settle payment. For our site we settle payment once we ship the goods and its all done with transaction IDs. The only thing we hang on to is the last 4 digits of the card number as a reference.
If you are going to store the card numbers use a good, well known encryption algorithm. Hashing isnt encryption, plus a one way hash will not work since you wont be able to recover the number to process.
Its important you become PCI compliant, especially if you are selling a hosted solutions to other businesses.
In all seriousness, get set up with a major processor and get on with your business. (PayFlowPro would work well for the recurring payments you seem to need as a feature.)