« Problems with browser-cached charts in ColdFusion | Main | Google Browser Sync »

Best Practices for Online Credit Card Security

After several years of coding applications that needed to process credit cards in real time as well as perform autorenewals at specified intervals, I've come up with a few best practices that I use as a habit.

Here they are: my accumulated techniques for working with credit card data on the web:

  1. Always pass credit card information via SSL (this includes information sent to the user's browser as well as that sent up to the server):
    1. Make all links to your credit card form begin with "https://"
    2. Within server-side code, ensure that credit card form pages are served and received via SSL before any processing takes place (ie, check your environmental variables for the use of port 443 and/or for HTTPS to be in use).
    3. Within front-end code, ensure that the form's action attribute contains an absolute URL starting with "https://"
  2. When coding a form input to get credit card data, include an autocomplete="off" attribute in the tag to prevent the browser from keeping the credit card number in its autocomplete cache.
  3. When displaying credit card numbers in the browser, all but the last 4 digits should be omitted or replaced with another character such as asterixes.
  4. Never display the user's security code in a browser (the security code, or CVV, is the 3 to 4 digit code from the front (American Express) or back (all others) of a card).
  5. When storing credit card data:
    1. Use strong encryption to encrypt the credit card number before storing it in your backend.
    2. Never store the security code in your backend. Its value depends on the presumption that the only way to supply it is to read it from the physical credit card, proving that the person supplying it actually holds the card.
    3. Within backend storage, I purposefully obfuscate the table name, column names, and data for the table where I store credit card data. If someone ever gets into my database, there's no reason I'm going to tell them "Hey, credit card numbers here!"

Comments (8)

I liked your posting. I'm a systems Analsyst at WorldatWork, nd we are looking at enhancing our shopping Cart application. In your oppinion, what are the plusses and minuses of maintaining credit card information in our database.

@Marco,

What are the pluses and minuses of maintaining credit card information in your own database? I'll tackle the minuses first:

- you're responsible for the security of the CC data in your own database, and therefore liable for any breaches in security where that CC data is stolen;
- you will need to maintain extra security measures for your database, such as special networking connections and firewall rules;
- finally, you'll want to be compliant with the payment card industry's PCI rules, which are extremely stringent.

The pluses are:
- You maintain the relationship with your client, and can easily track all of the transactions and other events that occur. If you're not hosting your own payment system, it will be more work to find out what they've processed successfully and when;
- You can change payment providers at any time and still retain control over your data, without worrying how to export it from one location and import it into another.

All in all, I think it's worthwhile to host your own CC data if you can handle the PCI security requirements. If you choose to host the data with a third party, just make sure that they have convenient ways for you to get transactional information on a regular basis. For instance, one provider I recently spoke with would have hosted all of our CC data and performed all transactions for us. They offer an API so that we could download all transaction histories on a daily basis to keep track of customer status in our own database.

1)Any body credit card back side there will be security code 3-digit number tell that number. (send the answer on e-mail)

Hello, if you're looking to earn more money online you should check out an excellent new guide to building your own Info Products. Most folks start with affiliate marketing online, however this system is so much easier and more profitable (and I find it rather more rewarding as well, creating my very own merchandise). The best factor is, rather than trying to influence individuals to purchase another person's product, this information reveals easy methods to become profitable by selling people exactly what they want! It's a lot simpler, and much more profitable! Click on right here to find out more ... but be quick, as they're closing the doors on the 16th August to make sure that the strategies do not get over-saturated

Add garlic, ginger, red bell pepper, and pepper flakes to the pan and
cook together a couple of minutes, then add peanut butter and melt it.
Here are 10 easy steps you can take to lower your
exposure to tree pollen and other spring allergens, and
keep allergy symptoms under control. One popular
bathroom fixture today that many interior decorators and home owners use is a shower bath.

Hi! Someone in my Facebook group shared this website with us so I came to look it over.

I'm definitely loving the information. I'm book-marking and will be tweeting this to my followers!
Wonderful blog and terrific style and design.

As the admin of this website is working, no hesitation very rapidly it will be
famous, due to its feature contents.

Most importantly, in compliance with laws pertaining to opening a child care centre you need to acquire a license.
USDA food program participants agree to submit to inspections from
the health department and fire department. There are options to work full-time and take care of only one child or go part-time and assist multiple
households.

Post a comment