4

Storing credit card info in web servers under my company's control creates severe security risk. It is an incentive to break in. It forces us to guard acces to our our database with great care. It is a legal liability.

Obviously this would only really be useful to users who are on the same browser from one session to another, so there is a UX hit.

Would it be a security improvement to put this info in HTML5 local storage?

Lucas Gonze
  • 575
  • 1
  • 5
  • 13

2 Answers2

3

POSSIBLY

By storing the credit card details on an individual's machine, you reduce the chance that a successful hack of a single server (or 'system') leads to the credit details of many (hundreds/thousands of) users being compromised. An ideal solution would entail a similar (or lower) risk as storing things on the server, but distribute the attack surface and hence massively reduce the impact.

Here is the summary of a suggested approach (which I've posed fully as a SO question HERE, with no 'poo-poos' as of yet):

  • Retrieve an encryption key from the server over HTTPS.

  • Use it (in javascript) to encrypt the credit card details in local storage at the same time as they are being entered by the user.

  • Throw the key away when the user navigates away from the page.

  • If the user returns later, they can retrieve the same key from the server, as well as a new key with which to cache the details going forward (to avoid the same key being used again and again).

  • The server doesn't have to keep a copy of the credit card details, and a hacker would need to gain a level of access such that they could anyway see the details being entered on the page by the user.

Community
  • 1
  • 1
decates
  • 3,406
  • 1
  • 22
  • 25
1

No.

Because then anyone could come to the computer and get the unencrypted credit card information. Local storage is not encrypted on the computer. Storing it encrypted on a secured server is a better option (even with the legal issues).

But the best option is to not store it at all. That reduces the legal and financial issues for everyone. If people are upset with the user experience, explain to them that not storing their credit card number is for their protection.

Steven V
  • 16,357
  • 3
  • 63
  • 76
  • 1
    The best option is to not store it at all. – Ash Burlaczenko Jul 05 '13 at 20:27
  • 1
    In addition, any cross site scripting issue now turns from the attacker hijacking a session into the attacker both hijacking the session and stealing CC info. – Dark Falcon Jul 05 '13 at 20:27
  • @AshBurlaczenko is exactly right. Don't store anything if at all possible. – Steven V Jul 05 '13 at 20:27
  • I find this a useful answer in regard to threat models. – Lucas Gonze Aug 04 '13 at 19:34
  • 2
    To defend against that attack the web site must encrypt credit card information before putting it in local storage. Then the cost of obtaining a large number of credit card numbers requires an attacker to compromise a server in order to get the decryption key, and to compromise each client storing a number. This would be much much more expensive than compromising just the server or just a single client. – Lucas Gonze Aug 04 '13 at 19:40