As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.
Having said that, here are three things to consider:
Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.
If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).
State and country specific laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.
As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).
My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.
发布评论
评论(3)
如上所述,不要将信用卡信息存储在数据库中。这是一个麻烦的根源。这样做将使您成为黑客非常有吸引力的目标,如果他们成功找回这些信息,您的业务就会结束,并可能毁掉您的生活以及那些信用卡号被盗的人的生活。
话虽如此,这里有三件事需要考虑:
您最好的选择是使用提供定期计费的支付处理器/支付网关。一个例子是 Authorize.Net 的自动定期计费服务。一旦您设置了订阅,他们将每月自动为您向用户收取费用,并让您知道交易结果。它可以为您节省大量工作,并免除您存储信用卡信息的责任。
如果您确实存储信用卡号码,则必须遵循 PCI 准则。这些准则由支付卡行业制定,并定义您可以做什么和不能做什么。它还定义了信用卡信息的存储方式。您需要对信用卡号进行加密,并且您应该(但不要求)对相关信息(到期日期等)进行加密。您还需要确保您的网络服务器和网络的安全。不符合 PCI 合规性将导致您失去商家帐户并永远禁止拥有真正的商家帐户。这将限制您使用灵活性较差的第三方处理器。请记住,PCI 指南是一个良好的开端,但对于在线安全而言,它并不是“如何做”。您的目标是超出建议(很多)。
州和国家/地区的特定法律取代 PCI 合规性。如果您遭受违规且信用卡号码被盗,您将面临刑事起诉的风险。各州的法律各不相同,并且不断变化,因为立法者才刚刚开始意识到问题的严重性。
就加密而言,请确保您了解哪些加密算法是安全的且尚未被破解。 Blowfish 是一个好的开始,如果您使用 PHP,mcrypt 库 推荐(示例)。
As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.
Having said that, here are three things to consider:
Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.
If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).
State and country specific laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.
As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).
最安全的方法是不要在您的系统上存储信用卡信息,而是让第三方支付提供商为您做这件事。
The safest way is to NOT store the credit card information on your system, but let a 3rd party payment provider do it for you.
您并不需要使用 PayPal 等第三方支付提供商,但您需要PCI 合规 如果您要存储支付卡信息。阅读这篇关于 BC Ferries 因未及时了解 PCI 合规性以了解 PCI 合规性的严重性而面临巨额罚款。
我现在的雇主正在经历 PCI 合规性——这不是一个简单的过程,并且需要员工进行审核。执行情况取决于国家和州/省的法律 – 加拿大 IIRC 要求您获得 PCI 聘用委员会的 PCI 认证,而美国的一些州允许 PCI 合规审计公司代替 PCI 委员会。
It's not required that you use a 3rd party payment provider like PayPal, etc. – but you need to be PCI compliant if you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI compliance to grasp how serious it is to be PCI compliant.
My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.