credit card storage help

I need some help finding a secure way to store credit cards on a website I am working on.  I know, I know you shouldn't do it unless you absolutely MUST, but it looks like I absolutely must, sad to say.  I have to set up reoccurring payments with credit cards that will notify the user if their card is declined and lock them out of certain website features as well.  Coding the above is not a problem, I am just very nervous about keeping credit card information on anyone.   I know the card #'s need to be stored encrypted, but that's still a pretty broad range of options... any help would be much appreciated!

That's pretty much it I would think... Encrypted sounds like the only way to do it (and that's not that secure). Can your payment processor handle the storage of your cards? If not, what is the name of the company so I know never to use it. :) On Thu, May 22, 2008 at 11:50 AM, Jessica Kennedy <police_kidnapped_your_children@yahoo.com> wrote: > I need some help finding a secure way to store credit cards on a website I am working on.  I know, I know you shouldn't do it unless you absolutely MUST, but it looks like I absolutely must, sad to say.  I have to set up reoccurring payments with credit cards that will notify the user if their card is declined and lock them out of certain website features as well.  Coding the above is not a problem, I am just very nervous about keeping credit card information on anyone. > > I know the card #'s need to be stored encrypted, but that's still a pretty broad range of options... any help would be much appreciated!

Cardservice international... they store partial card #'s for reference if I am not mistaken... they have a reoccurring billing feature on their website, the only problem is that once a person is entered into the reoccurring cycle, they will run the person's credit card over and over and stick us with the fees  regardless of how obvious it is the card is going to decline.

Sounds like a management problem then actually.. You may want to check out Shift4. They are pretty cheap and are pretty reliable. I used to work for them and trust me.. Security is #1 for them. If not, then you need to get on the phone with them and complain that they are assisting with fraud or whatever else you can come up with. That becomes a problem with the company. Either that, or store the cards on your site, encrypt them and hope for the best. I'd get in print someplace that your managers know they are taking a risk though and it's not your fault if you get hacked and all the credit card numbers are gone. So... What company is this again? :) On Thu, May 22, 2008 at 12:40 PM, Jessica Kennedy <police_kidnapped_your_children@yahoo.com> wrote: > Cardservice international... they store partial card #'s for reference if I am not mistaken... > > they have a reoccurring billing feature on their website, the only problem is that once a person is entered into the reoccurring cycle, they will run the person's credit card over and over and stick us with the fees  regardless of how obvious it is the card is going to decline.

> You may want to check out Shift4. They are pretty cheap and are > pretty > reliable. I used to work for them and trust me.. Security is #1 for > them. There's another good reason to look at Shift4. They have a tokenization technology in place which allows you to save a "token" that links to that credit card information on their system without actually saving the card data yourself. This is particularly ideal for recurring transactions where you need to be able to rebill the same card but don't want the liability of saving card data. --- Mary Jo

Oh man, ("What copany is this for?") You guys are too funny. Serioulsy, I wouldn't get anywhere near credit card numbers. I did for one project and it scared the crap out of me. Let someone else worry about the entire process. Even if it costs the client a bit more.   Sounds like a management problem then actually.. You may want to check out Shift4. They are pretty cheap and are pretty reliable. I used to work for them and trust me.. Security is #1 for them. If not, then you need to get on the phone with them and complain that they are assisting with fraud or whatever else you can come up with. That becomes a problem with the company. Either that, or store the cards on your site, encrypt them and hope for the best. I'd get in print someplace that your managers know they are taking a risk though and it's not your fault if you get hacked and all the credit card numbers are gone. So... What company is this again? :) On Thu, May 22, 2008 at 12:40 PM, Jessica Kennedy <police_kidnapped_your_children@yahoo.com> wrote: > Cardservice international... they store partial card #'s for reference if I am not mistaken... > > they have a reoccurring billing feature on their website, the only problem is that once a person is entered into the reoccurring cycle, they will run the person's credit card over and over and stick us with the fees  regardless of how obvious it is the card is going to decline. > >

Alot if online merchants and offline merchants store your cards. The trick is the encryption.  PCI allows for storage but you would need to have some sort of solution for key management and encrypt. Some examples of appliances for this is NChiper http://ncipher.com/products/hardware_security_modules/10/nethsm/ I have done some projects with these in the past they are $$$ and you would need atleast 2 incase one fails. I am working a cheaper solution smaller scale solution. For the people that cant afford 25K each LOL Eric Haskins On Fri, May 23, 2008 at 8:57 AM, Matthew Sievert < Matthew.Sievert@minacs.adityabirla.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Jessica Kennedy wrote: > I need some help finding a secure way to store credit cards on a website I am working on. 1. Don't 2. No really, don't I've had to do it once. I wasn't happy about it. I made the client sign a waiver saying that I was in *no* way responsible if anything ever happened and the server was compromised. It still scared the hell out of me, so I had to be devious in the storage. I set up 6 fields in the database. I *split* the card numbers up into six different "chunks", merged each one of those chunks back into 6 legit looking card numbers, and then encrypted, using different encryption methods for each field, them all into the six fields. I figured the chances of somebody comprising the database, un-encrypting all six fields, and then figuring out which part of each number needing to be combined together into the real number was pretty slim... Paranoid? Oh yea... Better than nothing ... But hey, DON'T. Seriously.

You're opening yourself up to huge potential liability if anyone ever steals these numbers. Basically, don't. http://usa.visa.com/merchants/risk_management/cisp.html On Thu, May 22, 2008 at 2:50 PM, Jessica Kennedy < police_kidnapped_your_children@yahoo.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Well, at least you can go back to your boss and tell him that you didn't find a single person who says you should store it. :) On Thu, May 22, 2008 at 4:19 PM, Brian Kotek <brian428@gmail.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

> I need some help finding a secure way to store credit cards on a website I > am working on.  I know, I know you shouldn't do it unless you absolutely > MUST, but it looks like I absolutely must, sad to say.  I have to set up > reoccurring payments with credit cards that will notify the user if their > card is declined and lock them out of certain website features as > well.  Coding the above is not a problem, I am just very nervous about > keeping credit card information on anyone. I wouldn't take the responsibility myself - when I had to do this for a client, I passed the whole card processing and so forth over to WorldPay, and just used their API to do the callback and so forth. -- mac jordan www.webhorus.net www.nibblous.com www.kestrel.org www.jordan-cats.org

so you're saying I shouldn't do it??? =)  ok, you convinced me... I was pretty nervous about doing that anyway... looks like shift4 will do what I need anyway.   and for those of you in a similar situation, i would NOT recommend cardservice international for anything even vaguely large-scale.  not got at all... thanks for the advice about saving data as separate encrypted fields... I really don't have any choice but to collect some sensitive info so I will employ that technique... even if the data will only be on the database for a max of 20 min, i'm not taking chances!

When you talk to Shift4, tell them Joseph Bullock-Palser sent ya. If they say who is that, tell them it's the developer they fired 3 days before Christmas after he moved out to work for them. Good company for security, Pain in the neck HR rep. > so you're saying I shouldn't do it??? =)  ok, you convinced me... I was pretty nervous about doing that anyway... looks like shift4 will do what I need anyway. > > and for those of you in a similar situation, i would NOT recommend cardservice international for anything even vaguely large-scale.  not got at all... > > thanks for the advice about saving data as separate encrypted fields... I really don't have any choice but to collect some sensitive info so I will employ that technique... even if the data will only be on the database for a max of 20 min, i'm not taking chances!

So how do ISPs and other companies handle storing credit cards?   I get regularly charged by several companies, not all of whom would be large enough to have dedicated IT departments.     Are they storing the card details and hoping for the best? I know there are big billing companies who would be expected to have a pretty serious security environment - Plimus comes to mind there - i have 3 accounts for different vendors with them -   but conducting a monthly business that bills clients monthly would be impractical if you couldnt store credit card numbers. For my own hosting company, I keep credit card details in a totally off-line system that never touches the internet. But without being able to bill monthly, hosting would not be viable as a business.   I would like to have a much better arrangement   - it's highly inconvenient having to bill the cards the way we do.   I'd like to be able to automate it some how. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month ----- Excess quoted text cut - see Original Post for more -----

Lookup PCI Compliance you will see the recommended practices. You can store certain as long as you have data encrypted. As well as written policies that detail it and how you handle key management. I am working on a 3DES solution that will be alot cheaper than buying an nChiper or the likes for 25K. Eric Haskins ----- Excess quoted text cut - see Original Post for more -----

----- Excess quoted text cut - see Original Post for more -----

MSSQL has built in DES encryption now. It is very simple to implement. Authorize.net has recurring billing that you can set up through their API so you can avoid keeping the numbers yourself.

Hi all, Sorry I'm entering this thread a little late. I noticed some Shift4 references so I decided to chime in. You'll definately want to use some form or tokenization, whether ours or any gateway you decide to use. One product I would like to mention that we offer is i4Go. It is a tokenization piece that takes your entire site and server out of PCI scope -- you are no longer handling card holder data (CHD) and this is what PCI is concerned with. With i4Go you have full control of the transactions (one time charge, recurring billing, two-click check out, etc.) and still never directly handle CHD. You most likely have decided on a solution by now but maybe others are facing the same decision. --Steve P.S. Josheph, thanks for the kind words and I hope all worked out for you. I'm still ashamed the way things went down.

> P.S. Josheph, thanks for the kind words and I hope all worked out for you. I'm still ashamed the way things went down. Hey.. No worries. I call it like I see it and I know Shift4 is a great company for people to use (heck, I helped a small section of it get built, so I KNOW there's some serious security on there).