1

I am working on an Iphone Application. I need to store a user's credit card information on the Iphone, and I have some questions regarding security.

1) Is it better to implement a cryptography system to encrypt the credit card number (or use one of the available library) or can I just use the Keychain to store the CC number? Is the Keychain considered a good place to save the CC info?

2) Should I also encrypt (or save in the Keychain) the expiry date?

3) Should I save the security code (or CCV)? Or ask the user to enter it every time?

Thanks for clarifications

Y2theZ
  • 10,162
  • 38
  • 131
  • 200

2 Answers2

5

I would recommend you to read the following document from PCI:

Accepting Mobile Payments with a Smartphone or Tablet

https://www.pcisecuritystandards.org/documents/accepting_mobile_payments_with_a_smartphone_or_tablet.pdf

My recommendation would be:

  • Don't store CC details unless absolutely necessary.
  • NEVER store the CVV
  • Don't implement your own encryptions mechanisms, use the ones provided by the framework.

Any questions, just let me know.

Regards, Fabio @fcerullo

fcerullo
  • 621
  • 4
  • 3
  • this is absolutely the right answer. Storage of CC information that doesn't follow PCI rules is bad news both for you (as it can open you up to potential civil liability and/or fines from PCI) and your users (since you will probably screw something up implementing your homebrew security setup) – Peter Elliott Feb 26 '13 at 11:43
0

These are the following comments on your Qestion for Q1 - yes ,it is better to use crypto class for use a good algorithm for this type of higly secure data.for ex. AES128 or AES256 algo.

for Q2 - yes, you can save encrypted data in Key Chain, it is a good place for secure data.

for Q3 - i think you should ask to user to enter every time CVV number. like every mobile rechrge sites for ex. paytm.com

Anurag Dixit
  • 119
  • 2
  • 16
  • For Q2 I mean, should I encrypt the expiry date too? or just save it as plain text (is it sensitive data enough to be encrypted)? – Y2theZ Feb 25 '13 at 10:04
  • yes, you should encrypt last date too.... because it is sensitive data for Credit card.... – Anurag Dixit Feb 25 '13 at 10:07
  • Just to add to this as well, use a well tested, widely used cryptography library. – danielbeard Feb 25 '13 at 10:37
  • homebrewing a CC storage scheme, even with a "good algorithm" is bad news bears. Definitely don't store a credit card # on the Keychain. "Use a PCI-validated solution" is the only answer you should consider. – Peter Elliott Feb 26 '13 at 11:48
  • @PeterElliott Elliott http://software-security.sans.org/blog/2011/01/05/using-keychain-to-store-passwords-ios-iphone-ipad/ – Anurag Dixit Feb 26 '13 at 12:27
  • what does that article have to do with storing credit card numbers on the Keychain? is the iOS keychain PCI DSS compliant? – Peter Elliott Feb 26 '13 at 12:56