1

I have a Backend with ASP.NET WebApi and a Android client. Basically, when the user makes a payment I need to send a Credit Card information to my WebApi and make the payment there to my Gateway by REST. But I'm concerned because, somehow or someway these information could be intercepted in some cases. For saving these information on SQL I already have a Cryptography code to do this. I was thinking, should I implement a code to crypt the data from the android to Api and decrypt for making the payment and then use my current cryptography to storage in database? Should I use Rijndael? Thanks!

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
Nathiel Barros
  • 685
  • 2
  • 11
  • 25
  • 1
    [How to handle sensitive properties in a RESTful API (such as passwords, credit cards, etc)](https://stackoverflow.com/q/19072759/608639), [Best security practices when sending a credit card number to a REST API](https://stackoverflow.com/q/7424729/608639), etc. There are lots of PayPal specific questions, but its not clear if you are using them. – jww Jun 04 '17 at 10:47
  • I'm using a local(Brazil) gateway, they have a Android Library for payment, but in my case, the payment has to be on Api, the first thread says that if my API is hosted with SSL by HTTPS the data is encrypted, but I think I should increase the security. – Nathiel Barros Jun 04 '17 at 10:52
  • 2
    Have a look at the PCI DSS: https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard – Henry Jun 04 '17 at 11:09

1 Answers1

3

When using HTTPS you should pin the certificate, that means verify that the site you are directly connecting to is the correct site.

This is done be verifying that the certificate presented by the HTTPS connection is the correct site, this avoids MITM attacks.

The the Android client verifies that the connection is directly to your gateway and that your gateway connects directly to the payment site.

You do not need to add anymore security/encryption.

As henry states: consult the PCI DSS documents. See PCI Compliance Guide.

zaph
  • 111,848
  • 21
  • 189
  • 228