0

For mobile applications on Android and iOS
I need to store credit card information so that then had the opportunity to get them for autofill forms.
Is it possible to keep data secure?

Lola
  • 2,591
  • 6
  • 24
  • 49
  • 2
    Do not do this unless you are an expert. It is possible to save Credit Card data securely on iOS using the Keychain but not recommended. If you wish to implement purchasing on iOS use Apple Pay and let Apple manage the payment process (which is complex) and the security (which is very hard) for you. – Robotic Cat Jul 22 '15 at 14:23

4 Answers4

2

Just don't do it, its far more complex than you would think and very risky. Take a look at this https://stackoverflow.com/a/3002237/4739608.

Community
  • 1
  • 1
Errol Green
  • 1,367
  • 5
  • 19
  • 32
2

As you can see in other answers and comments this is far too RISKY, you need to implement a third-party service that make all the work for you like:

  • PayPal Mobile SDK

  • Apple Pay in the case of iOS

  • Why dont you take a look to mobile MasterCard or Visa development API's and Mobile SDK's and see if that's what you need

Karlo A. López
  • 2,548
  • 3
  • 29
  • 56
2

PayPal has a product called PayPal Vault where you can store credit card data at PayPal under a payment ID. This way you can transact against the card without storing the credit card data.

https://developer.paypal.com/docs/api/#vault

Storing the last 4 digits of the card and a card type isn't an issue for PCI Compliance (which is a pretty big deal). This way you can store credit card data for your buyers as:

MASTERCARD XXXXXXXXXXXX5558

Then when you are looking to transact, you can charge the "payer_id" and not have to keep your hands on the card data. As you won't have your hands on a database of credit cards you won't risk that information being compromised and being held accountable for damages.

There are other companies that do similar processes. I am just familiar with PayPal so I feel confident with this suggestion.

PayPal_MSI_Marshal
  • 91
  • 5
2

Possible - yes.

Probable - no.

Securing credit card data is notoriously difficult and usually takes a complex system of layered encryption, authentication and authorisation mechanisms.

Even companies with security teams don't attempt to do this commonly and rather store the card numbers in a PCI-DSS compliant environment and store card tokens on the device.

Which brings us to the main point: The standard guidelines for any environment (so in your case the phone) that stores CC data are the PCI-DSS 3.0 guidelines (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf) of about 120 pages. If you absolutely must store card data (absolutely not recommended), I suggest starting with this document.

0x90
  • 6,079
  • 2
  • 36
  • 55