Here they are: my accumulated techniques for working with credit card data on the web:
- Always pass credit card information via SSL (this includes information sent to the user's browser as well as that sent up to the server):
- Make all links to your credit card form begin with "https://"
- Within server-side code, ensure that credit card form pages are served and received via SSL before any processing takes place (ie, check your environmental variables for the use of port 443 and/or for HTTPS to be in use).
- Within front-end code, ensure that the form's
actionattribute contains an absolute URL starting with "https://"
- When coding a form input to get credit card data, include an
autocomplete="off"attribute in the tag to prevent the browser from keeping the credit card number in its autocomplete cache.
- When displaying credit card numbers in the browser, all but the last 4 digits should be omitted or replaced with another character such as asterixes.
- Never display the user's security code in a browser (the security code, or CVV, is the 3 to 4 digit code from the front (American Express) or back (all others) of a card).
- When storing credit card data:
- Use strong encryption to encrypt the credit card number before storing it in your backend.
- Never store the security code in your backend. Its value depends on the presumption that the only way to supply it is to read it from the physical credit card, proving that the person supplying it actually holds the card.
- Within backend storage, I purposefully obfuscate the table name, column names, and data for the table where I store credit card data. If someone ever gets into my database, there's no reason I'm going to tell them "Hey, credit card numbers here!"