Is this a safe way to store credit cards? [closed]

Question

Closed. This question is opinion-based. It is not currently accepting answers.

---

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 8 years ago.

Improve this question

Basically I'm working on a site where it will process credit cards. But when a transaction/charge is placed I would like to store information about the credit card in a database.

Right now, I've been thinking of storing the first 4 and last 4 numbers and the expiry date. But I wont store it in plan text, I've created my own encryption method.

Is that safe enough?

Answer 1

From a PCI Compliancy perspective, storing only the first four, last four in plain text is fine. PCI actually allows plain text storage of the first six digits (this is known as the IIN or Issuer Identifier Range), and last four digits (the very last digit is a checksum).

These are similar to the standards for printed receipts, which allow the first six and last three digits to be printed.

Your question does understandably ring alarm bells though. If you (or your systems) have access to the full card number, then you are in the scope of PCI-DSS. Monitoring and maintaining compliance can be time consuming and costly, especially where your compliance must be verified by a third party QSA (Qualified Security Assessor).

The better approach then would be to use a payment gateway that is already PCI compliant. They would be able to perform the card authorization/settlement and return to you a token id and/or a hash of the card number which is safe to store in your database.

Answer 2

Is it safe enough? Let me think. Hmm, I'd like you to consider the rather large number of data breaches that have occurred over the last few years, from sites that people assumed would be safe.

Sites like Sony, the NHS, EverNote, Yahoo, Ubisoft, Apple, Blizzard and even the NSA (who you would think would be best at protecting its own information). From here:

In addition, it's unlikely your homegrown encryption would stand up to determined attacks.

But the real question is: why do you need the information? The information really belongs to the owner of the card and any site that stores it is reducing that owner's safety. It may be better to use a different identifier for the customer and store a non-reversible hash value for the card number if you need to know something like how many different cards they use. While a hash would get collisions across the entire search space of card numbers, the chance of collisions within a single customer is much much smaller.

You may also find that legislation limits what you can store, depending on your jurisdiction.