Safe way to Store Credit Card Info Across Pages ASP.NET MVC

Question

I'm running ASP.NET MVC and need a safe way to store credit-card data temporarily (I have a order confirmation page, which posts to an action that actually processes the order). I tried TempData, but it doesn't survive the post. Can I safely use session since it's stored on the server?

Thanks.

also see http://stackoverflow.com/questions/1947653/asp-net-mvc-secure-temporary-storage-of-credit-card-data — Mauricio Scheffer, Jan 08 '10 at 01:30
I saw that one, but it didn't directly address my questions. — jchapa, Jan 08 '10 at 02:05
Bear in mind that if your systems ever see credit card data, then you may well need to be compliant with the PCI DSS https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml — Cheekysoft, Jan 08 '10 at 11:06

score 4 · Accepted Answer · answered Jan 08 '10 at 00:53

4

You really shouldn't even be requesting the numbers until the last step in the process. Additionally, you should be using SSL for the entire span of the process too. If you decide to store them in Session, encrypt them just for an added degree of safety.

answered Jan 08 '10 at 00:53

Sampson

265,109
74
539
565

Good advice. I knew that you had to follow certain policies if you persisted the data, but was glad I asked before throwing them in Session State (even using SSL). – jchapa Jan 08 '10 at 18:40

David Pfeffer · Answer 2 · 2010-01-08T14:30:40.980

3

Sessons are insecure (thanks to the commentors for correcting me on this). Not only are they susceptible to a brute-force attack, there are several other vulnerabilities. http://www.dreamincode.net/forums/showtopic61503.htm

If you absolutely must use sessions to store your data, make sure to use a suitable session timeout so that people don't accidentally leave their credit card details on a public computer.

I would strongly recommend, however, that you review the Payment Card Industry Data Security Standard (PCI DSS). https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

edited Jan 08 '10 at 14:30

answered Jan 08 '10 at 00:53

David Pfeffer

38,869
30
127
202

1

+1 (in a big way) for PCI DSS. -1 (in a big way) for "sessions are secure". Sessions are *insecure*. And no, you don't need brute force to steal them. Google ASP.NET session hijacking. – Craig Stuntz Jan 08 '10 at 13:18
@Craig Thanks for that, I corrected the answer. I had no idea! – David Pfeffer Jan 08 '10 at 14:30
+1 Thanks, @bytenik. I will be sure to follow those policies. – jchapa Jan 08 '10 at 18:41

Aaronaught · Answer 3 · 2010-01-08T15:21:41.110

1

Session state will persist the information, but it is not secure. Be aware that any kind of persistence may be violating the terms of service with the bank or credit agency. Most of them have very strict regulations on what you're allowed to do with this information.

edited Jan 08 '10 at 15:21

answered Jan 08 '10 at 00:53

Aaronaught

120,909
25
266
342

Apparently my answer implied that "sessions are secure". I don't think I said that, and even pointed out that persisting CC's at all is something you shouldn't do, but in any case, I edited to make that point more clear. – Aaronaught Jan 08 '10 at 15:23

Safe way to Store Credit Card Info Across Pages ASP.NET MVC

3 Answers3

Linked