Credit Card Processing

@Benji6996Nov 01.2010

Hi Guys,

I have done a lot of research into getting a merchant account processor and have got a little problem. On my new website I am going to have to store sensitive credit card details. I have not found a company that offers such storage and I do not have the confidence to store it in my DB as I cannot be sure how secure it is.

I also have the problem of not being able to encrypt the numbers etc because I will obviously need to de-crypt them in order to read them!

Any advice on a solution?

Thanks in advance,

Ben

to post a comment

PHP

14 Comments(s) _↴

@Jarrod1937Nov 01.2010 — #One trick, to at least make it more difficult, is to create a second database (an entirely separate database), which has a encrypt key to credit card id relationship. You can then encrypt the cards using some really good encryption and then simply lookup their random encrypt key when decrypting. The separate database makes it that much harder for a hacker/cracker as they then have to know about and compromise both databases.

And you can probably find a host, or a package with your existing host, that has pci compliant hosting. Though pci-compliance doesn't mean your site is 100% safe, it is a good start.

You can also add some extra security by deleting the credit card numbers when they're no longer needed. For example, if you're an ecommerce website, delete the credit card numbers after an item has been shipped. This at least limits your liability.

And i'm sure this doesn't need to be said, but always encrypt the numbers during transmission (ssl).

@qjensenNov 01.2010 — #Why do you need to store the cc info locally? What is your use case? Is there another way of achieving the same results?

You already understand that this is a risky proposition, so it would definitely be a better deal for you if you could find another way to do it.

@criterion9Nov 01.2010 — #Many merchants offer reoccurring billing without the need to store full CC details locally. PCI compliance requires no storage of the full details (and full storage might possibly break some specific card agreements such as Visa I believe).

@Benji6996authorNov 01.2010 — #Yes I have heard something about PCI. I do not fully understand what it is, although I do know my hosting service does provide support for it.

If I encrypt the numbers on transmission, how do I then decrypt them on collecting them?

In reply to gjensen, I do not need to store the CC details locally. Unless by locally you mean on my web servers database. I just need to store them somewhere that I can retrieve them for my site.

The reason why I need to do this is because I am going to be selling advertising space on my site and I want to the process to be as quick as possible. Basically so my clients submit their card details and when they make another purchase they do not have to enter their details again. They would have to enter their password though.

Exactly what amazon does!!!! They store your debit or credit card info and when you make another purchase you can just order in a few clicks without having to re-enter info.

criterion9, if it breaches the card agreements then that is that, I wont do it this way. Surely if the merchants offer recurring billing then they must store the details somehow.

I am also confused as to what recurring billing is. In the sense that is it automated billing for £x per month or year etc. Or is it just a system that helps speed up the process of ordering stuff, say 'one click purchases' like on amazon?

Thanks guys,

B

@Jarrod1937Nov 01.2010 — #Many merchants offer reoccurring billing without the need to store full CC details locally. PCI compliance requires no storage of the full details (and full storage might possibly break some specific card agreements such as Visa I believe).[/QUOTE]
Good point, i believe you're not supposed to store the cvv number.

@qjensenNov 01.2010 — #If you are trying to speed the payment process, your best bet is to support something like PayPal, Google Checkout or Amazon Payments instead of rolling your own.

As criterion9 pointed out, storing cc numbers is a violation of PCI Standards and could result in fines and loss of your merchant account.

It isn't a good idea to store the cc info on your server, and it will cost you far more in the long run than any additional sales you make. If you want to invest in a good solution, use one of the existing quick checkout systems and save yourself serious headaches.

@Jarrod1937Nov 01.2010 — #Yes I have heard something about PCI. I do not fully understand what it is, although I do know my hosting service does provide support for it.

If I encrypt the numbers on transmission, how do I then decrypt them on collecting them?
[/quote]
http://en.wikipedia.org/wiki/Transport_Layer_Security

SSL exist purely within the transport layer of networking, it encrypts the data using RSA encryption with a public key, transports it to your server, where it is unencrypted by your private key (see: http://en.wikipedia.org/wiki/Public-key_cryptography ). Your actual application knows nothing of this as the encryption is transparent to both parties.

Though, this is different than the database card storage encryption i was speaking of, that is to be used in addition to the use of ssl.

I am also confused as to what recurring billing is. In the sense that is it automated billing for £x per month or year etc. Or is it just a system that helps speed up the process of ordering stuff, say 'one click purchases' like on amazon?
[/QUOTE]

Recurring billing is a separate topic from card storage. Recurring billing is what you do with the stored info, that is you charge individuals on some periodic basis using the stored info. Amazon's system is not recurring, it is just them storing your info for convenience.

@Jarrod1937Nov 01.2010 — #
As criterion9 pointed out, storing cc numbers is a violation of PCI Standards and could result in fines and loss of your merchant account.[/QUOTE]

Incorrect, i believe you're allowed to store cc info, just not the cvv numbers. If you weren't allowed to store the cc numbers themselves then there would be no need to have a pci-standard.

@Benji6996authorNov 01.2010 — #What are the cvv numbers?

If you are not allowed to store cc numbers then how come Amazon does??

I do not want to use amazon payments or so on because the system must look like it is part of my site, I do not want to display any third party logos or info etc. I also do not want my clients to have to have accounts with other sites in order to purchase my space.

@Jarrod1937Nov 01.2010 — #What are the cvv numbers?

If you are not allowed to store cc numbers then how come Amazon does??

I do not want to use amazon payments or so on because the system must look like it is part of my site, I do not want to display any third party logos or info etc. I also do not want my clients to have to have accounts with other sites in order to purchase my space.[/QUOTE]
Again, i believe you're able to store cc numbers since the pci-standard itself states:

"Protect stored cardholder data"

Which would be a mutually exclusive rule to follow if you're unable to store any cardholder data. That and the entire point of pci-compliance is to protect stored cc numbers, without storage there is no need for the standard itself.

As for cvv, its generally the 3 digits on the back of a card, or the 4 digits on the front for amex. More info here:

http://en.wikipedia.org/wiki/Card_Verification_Value

@criterion9Nov 01.2010 — #Most credit providers allow for a single-use or multi-use charge code (unique identifiers) to use along with some information specific to the customer (such as first name, last name, last for digits) for payment collection. When an additional charge is required and you already have a multi-use code from the credit provider you use it to process the payment in place of the full cc details.

@Benji6996authorNov 01.2010 — #arrr okay, I wouldn't want to store the 3 digit security number anyway so that wouldn't be a problem.

This may be a very big question but could someone explain in as brief terms possible what the PCI is?

Thank you

@Benji6996authorNov 01.2010 — #Most credit providers allow for a single-use or multi-use charge code (unique identifiers) to use along with some information specific to the customer (such as first name, last name, last for digits) for payment collection. When an additional charge is required and you already have a multi-use code from the credit provider you use it to process the payment in place of the full cc details.[/QUOTE]

I understand how that works but surely the rest of the card and owners details are stored somewhere. What I would like to know is where and how? Do I get offered this with any merchant (World Pay is the one I am probably going to go with)?

Thank you

@Jarrod1937Nov 01.2010 — #arrr okay, I wouldn't want to store the 3 digit security number anyway so that wouldn't be a problem.

This may be a very big question but could someone explain in as brief terms possible what the PCI is?

Thank you[/QUOTE]
The link was already posted:

https://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&assocation=PCI%20DSS

But here is a direct link to the pdf:

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Also in #PHP _↴

Constructor with optional parameter list Get row where epoch equals zero seconds File upload, send as Attachment

Success!

Help @Benji6996 spread the word by sharing this article on Twitter...

Tweet This

Credit Card Processing

14 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Credit Card Processing

14 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

14 Comments(s) _↴

Also in #PHP _↴