Best Method To Store Credit Card Info

As others have suggested, it is not a good idea to do this, unless you seriously know what your doing. Read this: article first.

It is pretty comon for people to see that Amazon stores credit cards, so why can't we... Well amazon has an incredibly secure system for doing this, one that would be very difficult for someone to just whip up. Here is a quote from Amazon's CTO:

quote:

---

Credit card information should be kept in a physical secure location separate from your other servers with armed guards in front of it (I am not kidding)...

I won't tell you exactly how we implement our schemes but to get to Amazon customer credit cards you will need a small army of Marines. Although recently we have been discussing to place physical and electronic booby-traps such that the servers will self-destruct when compromised, to deal with such full physically attack ...

---

The most secure way is to not store CC data and instead find a payment gateway that offers tokenization. Basically, it is a token that references the card information so future transactions can be posted using the token.

References:

• Storing Credit Card Data - A Look at the Business Needs, Regulations and Solutions Surrounding the Issue
  
• Shift4 Releases New Technology to Insure the Security of Its Merchants' and Partners' Payment Processing

We call the technology "tokenization"; other gateways may call it something else. Hope this helps.

What is the best way to store Customer Credit Card information in the database?

Let an online payment processing company handle credit-card payments from your clients. The best payment-processing merchants would know much more than you how best to deal with credit card information and what legislation is involved. The responsibility for security would also be largely theirs.

It's generally not a good idea to ever store CC info in a database at all, whether encrypted or not.

... and as suggested, it is HIGHLY recommended that you give the user the choice to do so, and inform them of the potential risks if you decide to do it.

IF you do decide to go this route, and do provide a choice to save it to a server that is certified as e-commerce secure (some banks or security companies will help you test this fact), then make sure you encrypt the information before storing it - and never store the private key anywhere that can be accessed via web or db access.

You also may want to discuss this with your lawyer and insurance company and make sure your a$$ is covered, since if everything is not done properly, you and/or your company could be held liable for the client's customers losing their information if the DB ever gets hacked or stolen.

The best method would be a dedicated server with a higly secure perimeter and a massive insurance policy that covers you when the data is compromised. Also making sure that you inform the end user that thier credit card information is being stored for whatever purpose BEFORE they enter that information, giving them the opportunity to consent to your storage of their highly confidential information.

The best advice is to reevaluate why you need to store this information at all, rather than processing it at the appropriate times and then deleting the ifnormation, thereby reducing your risk.