2

I was wondering what the best approach is to store encrypted credit card numbers in a SQL database for C# (.net framework). Should I do it manually by using String/SecureString/Byte Array with some sort of symmetric encryption?

I heard that for an alternative (and probably the easier option), a service provider (which you place the transaction with) will give you a key that can be used to retrieve transaction information. I don't know how to go about this approach, but is this the better option? I want the most safest and most secure option. I want to be PCI compliant as well.

Christian Phillips
  • 18,399
  • 8
  • 53
  • 82
But I'm Not A Wrapper Class
  • 13,614
  • 6
  • 43
  • 65
  • 2
    Don't store credit card numbers, even encrypted ones, if you have an alternative. Check out authorize.net, a service provider. I've been using them on and off for years. Storing credit card information is a potentially massive liability. – Bob Kaufman Aug 05 '13 at 18:48
  • @BobKaufman: Yah, I was worried about the liability and security. I just started working on a side project, and my biggest concern is the way the managers want to store credit card numbers in a SQL database. Is the authorize.net API and service free to use? – But I'm Not A Wrapper Class Aug 05 '13 at 18:50
  • Why did someone down vote this...? If you could please explain why this is a bad question? – But I'm Not A Wrapper Class Aug 06 '13 at 14:36

2 Answers2

4

If you are going to store credit card numbers in a database you control, read the PCI DSS:

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Why should you comply:

https://www.pcisecuritystandards.org/security_standards/why_comply.php

Then read how to convince the people who asked you to store credit cards in house the world of hurt you are bringing upon yourselves to do this:

https://security.stackexchange.com/questions/18677/how-to-convince-coworkers-to-not-store-credit-card-numbers-ourselves

Community
  • 1
  • 1
Eric Leschinski
  • 146,994
  • 96
  • 417
  • 335
3

Update: In the three years since I wrote this answer, I've learned more about PCI, and a newer spec has been released. While the information below is not wrong, step 1 puts you in PCI scope at the "D for Merchants" level, which is the most onerous.

The better way to handle this is to not touch the card data yourself. Either you use a form provided by your processor which sends them the data, or you just redirect to them (like with PayPal). Both options can put you at the "A" or "A-EP" levels, which are much easier to certify.

Either way, you would still receive a token, which is safe to store, so steps 3 and 4 are still applicable.

Original Answer:

I heard that for an alternative (and probably the easier option), a service provider (which you place the transaction with) will give you a key that can be used to retrieve transaction information.

This is true. Basically, the process is:

  1. Get credit card information from customer / user. Store in in-code variable (i.e. not a file, or a log, or a database).
  2. Send credit card information to your processor (such as Authorize.NET, Payware, Paypal, etc).
  3. Receive a response which includes a "token" of some sort. This is the way you identify this particular transaction for future communications with the processor.
  4. Store the token into your database. Encryption would be nice, but not necessary, since the token simply refers to "Transaction #12345", and has no sensitive information by itself.
Bobson
  • 13,498
  • 5
  • 55
  • 80
  • 1
    If you have access to the full card number (implied in step 1) you need to work through PCI compliancy. The better step 1&2 would be 'submit payment value/transaction details to webpage hosted by PCI compliant gateway. The gateway captures users card details, performs auth and returns auth result/token id.' – PaulG Aug 06 '13 at 12:16
  • I think that's what he means for step 1&2 (at least that's what I took it as). – But I'm Not A Wrapper Class Aug 06 '13 at 13:39
  • @PaulG - That's one specific way to handle step 2. But unless you're including someone else's gateway in your code (such as PayPal's popup window), you have to capture the input yourself. Doing that requires 1) A web browser and 2) a processor that has a web gateway (most don't). If you don't actually store the card number anywhere, PCI is not relevant - and a variable in RAM which doesn't get saved anywhere doesn't count as storing it. – Bobson Aug 07 '13 at 08:45
  • 1
    Sorry @Bobson, but that's the most common (and alarming) misconception I see when people talk about PCI compliance. If you store, process, **or transmit** card data you need to be pci compliant. If you do not persist the data it is considerably easier though, and you may get away with completing an SAQ (probably SAQ-C). See https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf – PaulG Aug 07 '13 at 09:32
  • Just a thought: I noticed @PaulG's edit in the review queue. I think that unless you two agree on the correct flow, Paul should post a new answer rather than editing this one. I am not an expert on the subject, so I can't speak to the correctness of either version. – Austin Mullins Mar 26 '15 at 16:43
  • @AustinMullins - Agreed. There *are* two valid flows. One where you collect the data yourself and then package and transmit it (which is the one I discuss) and one where you send the user off to another site to enter their data (which is the one PaulG tried to edit it to). He definitely should add a new answer. – Bobson Mar 26 '15 at 17:08
  • @Austin and Bobson. Apologies. I have no recollection of editing your answer. I wouldn't generally do that, and I believe that if I *had* edited it, the edit wouldn't go to a review queue due to my rep.. Regardless, I still stand by the point that if you handle or transmit card data, PCI-DSS applies. Google 'pci dss data transmission' for further confirmation – PaulG Mar 26 '15 at 17:21
  • 1
    @PaulG Now that I think about it, I'm not sure you _did_ submit that edit. I think another user tried it on your behalf. It's definitely worth posting that alternate answer, regardless. – Austin Mullins Mar 26 '15 at 17:25
  • What if your client want to store it? Amazon storing it, how they are doing? – Ali Adravi Aug 13 '16 at 15:24
  • @AliAdravi - Assuming you're referring to the card number as "it", you have three choices: 1) **Don't** 2) Spend several hundred thousand dollars on secure infrastructure, security experts, validation, and PCI certification. 3) Risk becoming the next Target, Home Depot, etc. and simultaneously risk having your merchant accounts shut down by Visa and the other card brands. Your choice. – Bobson Aug 14 '16 at 02:26
  • @PaulG - It was a long time in coming, but I finally updated this answer to address the PCI implications. – Bobson Aug 14 '16 at 04:03