Is it OK to store encrypted credit card data in a database? [closed]

The risk of saving credit card information is so great that there is a Security Standard: PCI DSS . Even if you do not suffer attacks, if you do not follow the standard (or the rules of Your Place) you may have legal problems.

If you really need to retrieve a customer's card data for future transactions, saving it to your DB is not easy. Of course, it requires encrypt it, but where to save the key to decrypt it? It is complex to implement this safely, and respecting the standard (which, precisely, consider these problems). And as they say here (I translate)

Don't even think about storing credit cards without understanding the basics of PCI-DSS

To keep the encryption key securely you will end up needing a special hardware support, or at least a (really remote) security server that takes care of it exclusively (providing keys)... It's complex.

In typical (and modest) scenarios today, the most reasonable option is usually not to save the data in our own DB, but to delegate it to third-party online services (remote payment gateway APIs, etc).

Learn more in English here and here.

I am not sure that you keep a customer's payment data on your own, you should evaluate the use of third-party services that are internationally recognized and offer a secure link to make the payment.

I point to you using service as being PayPal

You can use the libraries it provides to interact with your application

PayPal .NET SDK

In this way you provide the customer with a secure and reliable means to make payments for the service you provide.

If the idea is to pay every month, you will generate from Code a payment that the client must authorize for the operation to be confirmed. Arbitrarily you can not generate a charge for the fact of having your data, unless you make some operation through a bank and an automatic debt is created, but well there is a third party that would replace paypal that will be the bank.

Normally the websites of hotel reservations or car rental store the customer's credit card data to guarantee the reservation and collect the amount due in case the customer does not show up.

These companies receive the card details by e-mail and if you do not show up at the hotel or to pick up the car they charge you later with the dataphone. In some cases they do not even ask you for the card when you arrive at the establishment because they already have your data and charge it directly.

However, if you wish to store any type of compromising data to manage autopayments or similar situations, you should notify the customer and specify it in the terms of use of the site. This has been done for some time some sales websites of the aliexpress type.

On one occasion I had to program the" storage " of the card. But it was not kept as such. The payment gateway gave us the option to save that par data that the customer can pay without having to enter the card always but what was saved was a token that the payment gateway sent us. I doubt that's legal. To explain it better: - In the form where you are passed the data to pay, such as the amount, currency, trade key, etc... the card. In the response of the gateway gave us a token to store it in the database and so in the successive purchases of said customer was passed that token.

What I have seen that some apps and pages usually do is and as an idea is not bad:

Store card number + expiration date, but not the 3-digit CCV code I think is called, and every time the customer wants to pay, he has to enter the ccv.

And also, in the app or web, they when displaying the card number only show the last 6 digits of the card.

Greetings.