14

If my MysQL database is stolen for example, can a thief use the Stripe customers ids to charge them?

Should I store these Ids in my database or not? Store them but encrypt them?

Thanks.

London Smith
  • 1,622
  • 2
  • 18
  • 39
  • What do you hope to gain by storing such information? – chepner Jan 10 '17 at 19:36
  • 1
    This isn't really a programming question; it *might* be more on-topic on security.stackexchange.com. – chepner Jan 10 '17 at 19:38
  • @chepner Just to recover a payment in my stripe dashboard in case of problem. – London Smith Jan 10 '17 at 19:49
  • I am going to store only the charge Id. `$charge = \Stripe\Charge::create(array(...` then `$chargeID = $charge->id;`. – London Smith Jan 10 '17 at 19:55
  • 11
    I dont know why people are so rude... I found this question because I was wondering the same thing about storing with the User, so you don't create a new Customer every time, and can retrieve stored cards. Thanks for asking! – gwalshington Aug 29 '17 at 22:53

1 Answers1

23

The customer id (cus_XXXX) can be used to charge a customer's card but only with your account's Secret API key (sk_live_XXX).

Someone getting their hands on your database in that situation wouldn't be able to do anything with the information unless they also stole your API keys.

It's safe to store anything that Stripe returns via the API in your own database as they wouldn't be returning those values in the first place otherwise. It's also partially covered in the documentation here about PCI compliance.

koopajah
  • 23,792
  • 9
  • 78
  • 104
  • is it a security risk to store stripe public and private key in database –  Feb 15 '21 at 15:40
  • 1
    Storing the customer ids in your database is common and not a security risk. Storing the API key in the database though is something I'd recommend avoiding. Use an environment variable instead to store the secret API key – koopajah Feb 16 '21 at 16:25