31

What are the PCI rules to follow for storing credit card numbers in a database?

1) is this allowed? 2) if so, what rules do we have to follow?

Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php which document should I be reading here?

gef
  • 6,551
  • 4
  • 39
  • 47
001
  • 55,049
  • 82
  • 210
  • 324
  • 2
    Try searching stackoverflow.com for "pci compliance". You'll get more than a bargain. – Saif Khan Nov 29 '10 at 04:29
  • 1
    Do you *really* want to, even if it's allowed? The inconvenience of users having to re-enter them is small compared to the headaches securely storing them gives. And I think most users don't like websites storing their card number either. – CodesInChaos Nov 29 '10 at 14:47
  • If you believe you security is as good as someone like Amazon, store it. It is very convenient and it *does* make me more likely to buy. Doesn't really answer your question but I thought I'd say your model can be good. – johnny Nov 29 '10 at 15:12
  • @Johnny - The thing is you don't need to. Authorize.net and Braintree, and I'm sure most of the other major gateways by this point offer secure vaults where you don't have to worry about PCI compliance, but you can still access the card for purposes of charging your account. – gtd Feb 09 '11 at 23:40

3 Answers3

48

1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better.

2) You have to follow the PCI rules outlined in this guide. But you may find this guide easier to understand. Go to page 14 for what you need to know. Basically you can store it but it has to be encrypted according to PCI standards. Your server and network also must be secure. If any piece of the puzzle is not PCI compliant you cannot store the credit card numbers. That rules out most shared hosting companies as a solution.

Mark Amery
  • 110,735
  • 57
  • 354
  • 402
John Conde
  • 207,509
  • 96
  • 428
  • 469
  • 17
    +1. Just wanted to comment though that encryption is the easy bit, and anyone wanting to tackle this shouldn't underestimate the difficulties with encryption Key Management. – PaulG Nov 30 '10 at 14:29
  • 1
    If you are going to store credit card numbers, you also have to be concerned with all types of access to the server, including physical. I did operations for PCI compliant servers at a large company and we did the following: CC numbers were encrypted (sure), access to the database server was limited to the web servers' IP addresses and the IP addresses of the operations team's IP addresses (I couldn't connect from home or even a different building), and the server was in a locked cage (literally had a chain and lock on it). Even if I got into the DC, I couldn't access the machine. – Robert L Davis Aug 26 '15 at 18:59
41

This is not a direct answer, but a suggestion. Please don't downvote; I'm just trying to be helpful. After much experience with PCI compliance, I strongly suggest you avoid having credit card information on your systems if at all possible.

The approach we have used (with great success) is Tokenization. There are services that will collect and store your credit card information for you. You make an API call to get a token, generally a hash of some kind, which represents the credit card's primary account number. When you want to bill the card, you pass the token and other transaction details, and they process they payment.

Here is an straightforward article about the process: http://www.creditcards.com/credit-card-news/tokenization-to-fight-credit-card-id-theft-1282.php

There are lots of options for this these days:

For more information on that approach you can use the Google Search: Credit Card Tokenization.

bopapa_1979
  • 8,476
  • 9
  • 44
  • 73
  • 4
    It's not a direct answer, but IMHO has great value as an alternative approach. +1 – Fabio Jan 18 '12 at 17:54
  • I added Adyen to the list of Tokenization Payment providers December 2106. I have not used them personally, but I noticed in my JetBrains account today that this is who JetBrains uses. As one of the (IMHO) top developer tools providers, I would ASSUME they have properly vetted Adyen for security. – bopapa_1979 Dec 29 '16 at 17:48
  • We were using tokenization but its a nightmare when you want to migrate to a different credit card processor. – DD. Aug 03 '19 at 07:52
  • @DD. I can really see where that would be the case. I guess you have to weigh that against the potential nightmare of managing concrete credit card data yourself. Unless I was working for a financial institution with a very competent department dedicated to security, I still think I would prefer tokenization. Still, your situation and mileage will vary. Good luck. – bopapa_1979 Sep 05 '19 at 17:55
2

You can but it's expensive to do.

You need to have DNS provided by another service or a dedicated DNS server.

You need to have a dedicated server running your SQL Server database and nothing else.

You need to use PCI approved software.

Your Database server needs to be within the same Data center as your Web Server else you will have poor performance.

So it's best to either host your site on a PCI secure host or setup your servers as I described.

Vincent G
  • 21
  • 1