3

We are now building payment options on our .net MVC app. Up to now we have successfully linked paymant with Paypal options, but now we are at the stade of introducing and testing credit card options.

So we are wondering if it is safe, even temporarily, to host and use credit card information?

I am building a viewModel which will look like this:

public class CreditCardViewModel
{
    public int CardNumber { get; set; }

    public int ExpireMonth { get; set; }

    public int ExpireYear { get; set; }

    public string FirstName { get; set; }

    public string LastName { get; set; }
}

A new one will be generated in a get view, and then posted back, and once the informations are validated, using PayPal Integration, we are planning to take along the payment method. But I want to protect users from getting spammed, hacked or stolen, and thus am wondering if it is a safe / good approach, or if the StackOverflow community will advise me to take another route...

EDIT I have edited my view model a bit, it looks like this:

public class CreditCardViewModel
{
    [Required]
    public SecureString CardNumber { get; set; }

    [Required]
    [Range(1, 12, ErrorMessage = "Invalid Month Number")]
    public int ExpireMonth { get; set; }

    [Required]
    public int ExpireYear { get; set; }

    [Required]
    public string FirstName { get; set; }

    [Required]
    public string LastName { get; set; }
}

And, as mentioned, the data used will not be saved in the database. It will be used one time in the POST method.

EDIT As per Juliano and Chris Pratt's great explanations, I have decided to remove the model from the web site and explore different avenues (mainly exploring the Merchant SDK integration). But thanks for the great explanations folks, because I did not know such compliancy existed.

hsim
  • 2,000
  • 6
  • 33
  • 69
  • 1
    Well you'll need all that information. The security issue wouldn't be in the view model - but with your implementation, and overall site integrity, – Jonesopolis Feb 26 '14 at 16:20
  • Do you have an example of a good implementation? – hsim Feb 26 '14 at 16:21
  • 4
    It's not clear exactly what your asking. If your application can see card details it falls within the scope of mandatory PCI/DSS compliancy which is significantly non-trivial to implement. – Alex K. Feb 26 '14 at 16:21
  • 1
    You should keep attention on how you save this data on your database, be always aware that it might get stolen... – DmitryK Feb 26 '14 at 16:22
  • @DmitryK precisely, this data will never be saved in the database. It will be used to issue the payment via the PayPay REST api, then based on the result of the payment, we will then issue the order (or not if it is not successfull). So the credentials will live in a single post method. – hsim Feb 26 '14 at 16:23
  • 3
    FYI - You can't use `int` for the `CardNumber`. It's too small to hold. You may want to try and implement `SecureString` or at least look into it. – TyCobb Feb 26 '14 at 16:25
  • 4
    @TyCobb - also, credit card numbers can start with "0". – EkoostikMartin Feb 26 '14 at 16:28

1 Answers1

3

Any payment application that accepts Visa and MasterCard should be compliant with the PA-DSS (Payment Application Data Security Standard), a global security standard for payment applications . The last version of the specification is 3.0 and can be downloaded at PCI site.

In this document there is a requirement named "Develop Secure Payment Application", that talks about how to develop a payment application that is secure, according the best practices in the market. About your specific question, the 5.1.6.1 says how sensitive data (card number, password, security codes) should be handled in memory:

Attackers use malware tools to capture sensitive data from memory. Minimizing the exposure of PAN/SAD while in memory will help reduce the likelihood that it can be captured by a malicious user or be unknowingly saved to disk in a memory file and left unprotected. This requirement is intended to ensure that consideration is given for how PAN and SAD are handled in memory. Understanding when and for how long sensitive data is present in memory, as well as in what format, will help application vendors to identify potential insecurities in their applications and determine whether additional protections are needed. Whether or not any coding techniques result from this activity will depend on the particular software being developed and the technologies in use.

Juliano
  • 821
  • 6
  • 21
  • That's why I would have loved to use external web API to do the job, you raise a good point. – hsim Feb 26 '14 at 17:16
  • Worth noting that in terms of "must have" its PCI-DSS that applies to you, not PA-DSS; although you should of course use the latter it as a roadmap. – Alex K. Feb 26 '14 at 17:19
  • 1
    It doesn't matter whether you process the card or if a third-party does. If a credit card number *ever* passes through your system, through a form submission or anything else, you must be PCI compliant. – Chris Pratt Feb 26 '14 at 17:34
  • @ChrisPratt Just wanting to be sure. The data is posted back to my application, but then I build a `CreditCard` Paypal object that I send to PayPal and I flush the data. It is never stored in any way in my application. Would you still consider that to be problematic IYO? – hsim Mar 03 '14 at 18:57
  • 2
    It doesn't matter whether you store it or not. It passes through your system, which means if you are compromised then so is the credit card. Just look at all the headlines where credit cards and such were stolen *not* through the actual vendor, but through a third party middle-man. – Chris Pratt Mar 03 '14 at 19:44