Best practices to store CreditCard information into DataBase

In my country the online payments are not an old thing, the first time i saw a web application taking payments directly to a local bank account was last year.

So, Im a newbie coding web payment system.

My question is, what are the best practices to store creditcard information into the database...

I have many ideas: encrypting the creditcard, database security restriction, etc.

What have you done?


Solution 1:

DON'T DO IT

There is simply far too much risk involved, and you will typically need to be externally audited to ensure that you're complying with all the relevant local laws and security practises.

There are many third-party companies that do it for you that have already gone through all trouble of making sure their system is secure, that they comply with local laws and so on. An example in the US that I have used in the past is authorize.net. Some banks also have systems that you can hook into to store credit card data and process payments.

I realise the country you're in may not have as strict laws as the U.S., but in my opinion that's no excuse for rolling your own. When you're dealing with other people's money, the risk is just too much to warrant.

Solution 2:

In 2020, use Stripe, and avoid storing payment information yourself.

HISTORICAL ANSWER:

For this, I recommend a comprehensive, layered approach.

First, storing credit card info should be an option.

Secondly, the data should be stored securely, using a strong form of encryption. I recommend AES with 256bit key size. Make sure when choosing your key, you use the entire keyspace (it's a rookie mistake to just use a randomly generated alphanumericsymbol string as a key).

Third, the AES key needs to be properly secured. Do not embed the value inside your code. If you are using windows, consider using DPAPI.

Fourth, you will want to setup database permissions so that applications and computers will have access on a need to know basis.

Fifth, secure the connection string to your database.

Sixth, ensure that any application that will have access to the credit card data, will properly secure it.

Solution 3:

At miniumum follow the PA DSS (Payment Appliction Data Security Standard). More info can be found here:

https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

Also it would be wise to look at PCI DSS, which could be found here:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Solution 4:

You should avoid storing any credit card information due to the risks to you and to customers of doing so.

Solution 5:

Encrypt encrypt encrypt. Don't decrypt if you don't absolutely have to - don't decrypt to show the last 4 digits. Don't decrypt to tell the user what their card was.

In fact, if you can, don't even keep the encrypted card numbers in the same physical server as the rest of the user information.