38

I want to allow my customer users to enter their credit card information so that I can charge them every month.

I wonder how one should save this information?

Should it be saved in the MySQL database ("user" table) or is this kind of information too sensitive and need to be stored in another place?

I have no experience of this and would be glad if someone could advice me how to accomplish this.

Thanks.

John Conde
  • 217,595
  • 99
  • 455
  • 496
never_had_a_name
  • 90,630
  • 105
  • 267
  • 383
  • 18
    Depending on the laws that apply to the place where you operate your business, it may even be *illegal* to store credit card numbers in this way. Be careful, talk to your bank and/or legal representation. – Greg Hewgill Jul 25 '10 at 11:14
  • are it is legal ? in mostly cases we use Paypal and ccavenue to online transaction. if you stored Credit card information that you need much more security on them. –  Jul 25 '10 at 14:40
  • 1
    Don't. (My opinion as a programmer and as a buyer.) – Amy B Jul 25 '10 at 19:18

3 Answers3

86

As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.

Having said that, here are three things to consider:

1) Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.

2) If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).

3) State and country specific laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.

As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).

John Conde
  • 217,595
  • 99
  • 455
  • 496
  • Where is the best place to find local laws? – Mike Cole Sep 26 '13 at 14:26
  • Very helpful information John. – Funk Forty Niner Mar 15 '15 at 01:09
  • 1
    Square.com has a neat API. They will store card info in a PCI-compliant way for you. – Ozymandias Jul 30 '16 at 11:24
  • How does the payment processor/payment gateway store the credit card information? They follow the PCI guidelines as well as country specific laws? What if e.g. a company providing an online service is in England and the customer who buys the online service is from Germany and uses a credit card issued by a local German bank? Which laws should the English company follow? The laws from Germany, England or both? Thank you! – tonix May 31 '20 at 10:26
18

The safest way is to NOT store the credit card information on your system, but let a 3rd party payment provider do it for you.

Donal Fellows
  • 133,037
  • 18
  • 149
  • 215
ZippyV
  • 12,540
  • 3
  • 37
  • 52
  • how? which ones? could u give me some more information – never_had_a_name Jul 25 '10 at 11:27
  • That way all the legal issues will be with the 3rd party. – Gert Grenander Jul 25 '10 at 11:47
  • 1
    +1 - unless your client is PCI Compliant, www.pcicomplianceguide.org/pcifaqs.php, then don't do it. You could be getting you and your client into a world of hurt. Use a payment processor like PayPal (but their fees are outrageous), GoogleCart, Authorize.net – gnome Jul 25 '10 at 14:16
  • @ZippyV: how will it work then paypal store the CC information? if i have a user with username "peter@gmail.com". how could i retrieve the CC information stored in Paypal for using it with other payment services? i dont get the coupling. could u please explain? – never_had_a_name Jul 25 '10 at 15:17
  • Paypal doesn't give you access to his CC information because you don't need it. When 'peter' says on your website that he wants to subscribe to service A you redirect him to the Paypal website and submit other information like his username, the name of the service and the price he must pay. The only information you get (and need) from Paypal is if the transaction succeeded or not. – ZippyV Jul 25 '10 at 15:45
  • @ZippyV: But then the problem is that he has to retype the information everytime he is buying something from me? Or does he need to have a Paypal account then? Cause i know Spotify doesnt have it like this. I wonder how they do. – never_had_a_name Jul 25 '10 at 16:17
  • You said in your question that you want to bill every month. I assume that's a subscription and Paypal supports recurring fees. Having a Paypal account makes it easier but it's not necessary for the customer. – ZippyV Jul 25 '10 at 21:09
  • @ZippyV. if the customer doesnt have a Paypal account, then he has to enter the CC information each time for one-time-buys? – never_had_a_name Jul 26 '10 at 04:08
  • Yes, he will have to enter his cc information each time. – ZippyV Jul 26 '10 at 09:25
  • What about the third party payment provider? They store that information somewhere somehow, right? – tonix May 31 '20 at 10:22
6

It's not required that you use a 3rd party payment provider like PayPal, etc. – but you need to be PCI compliant if you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI compliance to grasp how serious it is to be PCI compliant.

My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.

Darryl Hein
  • 142,451
  • 95
  • 218
  • 261
OMG Ponies
  • 325,700
  • 82
  • 523
  • 502