9

Yeah... just thinking about it...

Should I store credit card numbers that have been input on my site as strings or ints?

I mean, they're made up of numbers which makes me think it's an int... but I don't do maths on them, so maybe a string is more appropriate?

EDIT: So I have to store the number that's been input at some point, before I encrypt it. I probably should have been more specific - it's not like I'm saving them in the DB in clear text or anything - glad to see how conscientious everyone is :)

Ev.
  • 7,109
  • 14
  • 53
  • 87

7 Answers7

34

Neither. You should save them, at very least, as byte arrays encrypted with AES or equivalent using industry-accepted key storage.

Windows provides a lot of this via the Data Protection API: http://msdn.microsoft.com/en-us/library/ms995355.aspx

For your own sake and the sake of your customers, please learn the proper standards for encrypting financial credentials or hire someone who knows them.

Given your edit:

C# has a SecureString class that you should use. I don't believe that there is a Java equivalent, but I could be wrong.

EDIT: For posterity's sake...

Guidelines for storage, transmission, and processing of credit card details are defined by PCI DSS (Data Security Standards). Anyone considering how to architect their solution for managing credit card data should read about that here, and consult an industry expert: https://www.pcisecuritystandards.org/

Chris Shain
  • 50,833
  • 6
  • 93
  • 125
  • 1
    Thank god for answers like this. Well said. – Chris Eberle Aug 26 '11 at 03:02
  • 1
    Thanks. Questions like that make me thankful for the one-time-use card # service I have. – Chris Shain Aug 26 '11 at 03:05
  • 7
    But it's not really an answer to the question, is it? Even with encryption, there's still a question of whether the _plaintext_ inside the encryption consists of a binary integer, or a string of ASCII digits. (Not a hard question though; the tiniest possibility that leading zeroes are or may someday become significant ought to determine the answer). – hmakholm left over Monica Aug 26 '11 at 03:08
  • @Chris, very true and a great point. I made an edit to the question to be more clear, but it's not exactly the answer I was after. – Ev. Aug 26 '11 at 03:10
  • True. There is the possibility that this is an (extremely misguided) homework question. In that case, yes, the answer I suppose would be a string. But I'd still write "Neither", and explain why. – Chris Shain Aug 26 '11 at 03:10
  • @Henning Makholm : after encryption, it would be alphanumeric that you can only store as String. – Rudy Aug 26 '11 at 03:10
  • @Rudy: alphanumeric?? I don't think I've ever heard of a credit card number with letters in it, but I don't get out that much. If you're talking about the _ciphertext_, that's not alphanumeric -- it's random-looking bytes, highly probably not even corresponding to a printable string under you favorite character encoding. – hmakholm left over Monica Aug 26 '11 at 03:20
  • @Chris. No need to be mean, re. the homework thing. It was just a thought that popped into my head as I was typing up code - obviously you are a much more experienced developer than me (although I'm no longer at school). My apologies for wasting your time, but thank you again for the great advice! :) – Ev. Aug 26 '11 at 03:21
  • I didn't mean to come off as being mean to you mate. We get a lot of verbatim homework on here, by misguided I meant that any CS teacher who asked that particular question (outside of maybe a security class as an intentional trick question) should know better. – Chris Shain Aug 26 '11 at 03:24
  • @Henning Makholm : depends on the way/library you use for encryption, the result can contain alphanumeric. – Rudy Aug 26 '11 at 03:32
  • @Chris: your SecureString recommendation answers my question and taught me something I didn't know existed. Thanks heaps buddy :) – Ev. Aug 26 '11 at 03:34
8

Credit card numbers would be a string, I'm not positive but i feel like some cards can start with a 0 and you wouldn't want to lose any of those leading zeros. Also, you should encrypt that. If not, a malicious user may be able to snag card numbers through cookies, packet sniffers, and other things.

Tony318
  • 552
  • 2
  • 9
6

note that

  • range of int in java is -2147483648 until 2147483647 ( you can check it by print Integer.MAX_VALUE and Integer.MIN_VALUE)
  • credit card number is having 16 digit of numbers.
  • there is no need to do a calculation to a credit card number.
  • you should not store credit card without encrypt it ( to avoid the number being stolen ). and usually the result of the encryption can contains alphanumeric.

Based on that facts, I believe String is more appropriate. ( BUT ENCRYPT FIRST )

Rudy
  • 7,008
  • 12
  • 50
  • 85
5

You shouldn't store credit card numbers at all, ever as anything. If you are integrating with a payment provider pass the information straight to them, if you need to charge later they should be able to provide a token of some sort. Unless your servers are compliant you are probably breaking rules.

kmcc049
  • 2,783
  • 17
  • 13
4

Credit card information (or any personal information that can be misused) should never be stored in its raw form (strings, integers, etc). Always encrypt it so that the information is protected in case your website is hacked.

K Mehta
  • 10,323
  • 4
  • 46
  • 76
2

Since it does not make sense to add or multiply credit card numbers, ints are not suitable. Use strings.

lhf
  • 70,581
  • 9
  • 108
  • 149
2

Before storing any credit card information get familiar with the requirements for PCI (Payment Card Industry) compliance. This covers how you can store the numbers, and how much of the number you can store. There are a number of other steps you need to take to secure your servers.

BillThor
  • 7,306
  • 1
  • 26
  • 19