Storing Credit Card info?? Need advice or input please.

**aLpHaSuRf** · 03-09-2007, 02:04 AM

First I want to say I am not sure if I posted this thread in the correct section of the forums.

I have a situation which I am not sure how to handle. I have been working on a website where user can place an order and/or pay for services. I am not sure how to configure the checkout. I was thinking about two different ways to gather and pass the credit card info thru the merchant gateway.

The first way I can incoporate the payment system is by collecting the users credit card info and saving it to the database. I am not sure if saving credit card info into the database can be a liability for me in the future in the event the security of the database is compromised!

The second way I can incoporate the payment system is by collecting the users credit card info and passing it along as variables by posting it and NOT storing it into the database. I run an SSL and the passing of the imformation would be secure and safe.

I know alot of others have already in the past been at the point I am now at. I would appreciate any help advice or input that anyone has for me.

Thanks in advance... <--aLpHaSuRf-->

**silverspike** · 03-09-2007, 03:06 PM

Create an encrypting mechanism that can only be decoded by you with the correct set of PHP or what ever script you are using functions. This way u can keep the credit card numbers, however they will be secure from getting used if your database gets compromised. It may be more work, but if you wish to save there numbers and be able to read them again, this may be your best bet.

**aLpHaSuRf** · 03-09-2007, 03:26 PM

I was just told a few hours ago in some states it is illegal to store a consumers credit card information online in a database. I was also told that if I do store the consumers credit card information in my database and the information is hijacked from the database I would be held fully responsible, liable, and I would end up with some major legal issues as well as lawsuits!! I already changed my check out system to only store the consumers name, address and order information such as price and product details. I changed the system over to post all the users info from page to page in variables.

The reason I wanted to store the information was because I was going to implement a recurring billing system on my website where my users could select the option to be automatically billed every month. Unfortunatley now knowing what I just recently learned I feel it really would not be worth the stress, and litigation by chance a negative incident would occur where the users info were to get compromised!

**silverspike** · 03-09-2007, 03:33 PM

ok, well i guess that works aswell then. sorry to here you couldnt do what you wanted to. maybe someday you can figure out a way to do it, maybe with a third party involved or someting along those lines.

**aLpHaSuRf** · 03-09-2007, 05:24 PM

Thank you for taking the time to read and reply to my post.

**imported_chopper** · 03-09-2007, 06:32 PM

Most payment gateways have ways to automatically process credit card payments through an SDK and most if not all have ways of doing recurring billing as well (and cancellation). If YOU are hosting the site and are NOT CIPS compliant, don't even bother storing credit card information. That is NOT a liability you need. If you have someone else hosting the site then you best get a merchant account with someone like moneris, internet secure, etc, etc, etc and more often then not you'll also have to pay for a security scan. Either way, on a web site, there really is no need to store credit card numbers with the systems that are available. There are ways to make it pretty safe and secure (network architecture), but encryption for the number is not a way I'd recommend. If man can make it, man can break it, no matter what you do.