使用 PHP 获取和存储信用卡信息的最佳实践
我是否应该在前几个步骤(验证、审查购买)中使用会话,然后在最终提交中将信息输入到数据库中?
饼干会被劫持并演变为诉讼吗?是不是风险太大了?
如果存储信用卡号,我是否需要以任何特殊方式保护我的数据库?
欢迎任何建议和个人经历。
Should I use sessions for the first few steps (validation, review purchase) then input the information into the database in the final submit?
Could the cookies get jacked and transform into a lawsuit? Is it too risky?
Would I need to protect my db any special way if storing credit card numbers?
Any and all recommendation and personal experiences are welcome.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
信用卡问题对存储信用卡数据有严格的要求(谷歌“PCI 合规性”)。
至少有一个支付网关允许您外包合规性工作:http://www.braintree paymentsolutions.com/
上次我查看时,您可以运行初始交易并取回令牌。该令牌可用于在未来对卡进行收费,但只能由您使用。支付网关人员负责存储实际的信用卡数据。
据我所知(而且我不会进行大量的卡处理),如果您需要对同一张卡进行任意收费,这可能是最好的解决方案。
如果您需要的只是一些经常性费用(定期收取一定金额),则大多数支付网关(我想到的是authorize.net)都可以为此进行配置。
归根结底,如果您的预算不是特别大,那么您最好外包卡#存储。自己做的话责任太大了。
(编辑:至于在会话中存储内容 - 是的,您可能可以摆脱这一点,但您可能应该避免它。只需在提交 CC 信息时进行初始身份验证/捕获即可。)
Credit card issues have strict requirements (google "PCI Compliance") about storing credit card data.
There's at least one payment gateway that allows you to outsource the compliance stuff: http://www.braintreepaymentsolutions.com/
Last time I looked, you can run an initial transaction, and get back a token. That token can be used to make future charges against the card, but only by you. The payment gateway guys take care of storing the actual credit card data.
As far as I know (and I don't do a ton of card processing), this is probably the best solution if you need to make arbitrary charges against the same card.
If all you need is some recurring charge (a set amount at regular intervals), most payment gateways (authorize.net comes to mind) can be configured for this.
At the end of the day, if you're not dealing with a particularly large budget, you're better off outsourcing the card # storage. Doing it yourself is too much of a liability.
(Edit: As to storing things in session -- yeah, you can probably get away with that, but you should probably avoid it. Just make your initial auth/capture in-process when the CC info is submitted.)