0

I am making a web service where credit card information will be stored as part of a user profile and will be used to process payments.

However, I don't like the idea of saving the card information as raw text in a database. Instead, I would like to hash the card number in some way so that if a malicious person got access to the database, the users of the site will remain as safe as possible.

I imagine that it could work similar to how the password is hashed, but an important difference is that I need to be able to un-hash and send the credit card information through a 3rd party api.

How would I go about adding a hashed credit card to a Devise user in rails?

Thanks for any help

johncorser
  • 9,262
  • 17
  • 57
  • 102
  • 2
    There is no 'un-hash'. There is 'decryption', but they are different things. The only right way to do it is not to do it. Use a third party PCI compliant service. – Scott Jacobsen Oct 04 '14 at 03:02
  • Do you have any recommendations that are simple to integrate in rails? – johncorser Oct 04 '14 at 04:28
  • 1
    Take a look at [ActiveMerchant](https://github.com/Shopify/active_merchant). It provides a ruby API to interface with many different payment services. As for specific services I know [stripe](https://stripe.com/) is hot right now. Here's a [post](http://www.gotealeaf.com/blog/basic-paypal-checkout-processing-in-rails) about integrating PayPal with Rails. – Scott Jacobsen Oct 04 '14 at 04:48
  • Find and use a merchant that offers tokenization (they collect the card number and give you back a value you can use for subsequent transactions) as others have said if you attempt to store them yourself you fall into the domain of PCI compliance, if you suffer a breach and are judged not to be in compliance you can become liable for all losses and large card scheme fines. – Alex K. Oct 04 '14 at 12:24

1 Answers1

7

I would strongly recommend against storing credit card numbers in your own database. It's very difficult to meet the Payment Card Industry Data Security Standard - a.k.a. PCI compliance.

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Basically, even if the card numbers are hashed, you are still responsible to meet very high security standards. Only credit card processors and/or gateways (PayPal, Stripe, Authorize.net, etc.) typically store credit card information because it's part of their job to worry about meeting these strict PCI standards so you, as the merchant, don't have to worry about it. It's relatively easy to use their servers to store your customers' encrypted payment info and allow the customer to retrieve it again when they want to make a new purchase. Because you, as the merchant, are never actually able to get access the card info, encrypted or not, you're not responsible if the card number gets stolen - the processor is.

It's actually a great deal and a major selling point for most of these processors.

EDIT

Good news! It looks like Ordr.in has this service available and, from their FAQ, it looks like they're PCI compliant as well:

Is Ordr.in PCI Compliant for credit card processing?

Yes. We work with Braintree for PCI Compliant CC processing on all transactions.

It looks like everything you need is here in the API docs - https://hackfood.ordr.in/docs/user#addCreditCard

From what I can see, it's pretty simple. The user uses your service as a third party to create an account with Ordr.in. The user can save a credit card to their account (all stored on Ordr.in's servers) and then when the user wants to make a charge, they just log in with their email and password. Seems pretty straight forward! I can't vouch for ordr.in personally, but they look pretty legit.

Community
  • 1
  • 1
mjhlobdell
  • 371
  • 1
  • 6
  • I am using an api that requires me to send the credit card info as a parameter in an http request. Would I be able to use one of these services and still be able to make that http request? – johncorser Oct 04 '14 at 04:31
  • More than likely. What API are you using? – mjhlobdell Oct 04 '14 at 14:47
  • [Ordr.in](http://ordr.in/developers/). It requires me to send credit card info along with address info to place a food order. – johncorser Oct 04 '14 at 15:02
  • FYI - I saw that Codecademy has a course on the OrderIn API. http://www.codecademy.com/en/tracks/ordrin – mjhlobdell Nov 01 '14 at 23:19
  • "For four years we have loved helping developers build new food ordering apps, learn to code and explore new concepts in ecommerce. It has been a wonderful ride. Unfortunately that ride is at an end. We are discontinuing support for our APIs effective April 15, 2015. An alternative we recommend is Delivery.com. They have an open API and thousands of restaurants. They are good people with good technology."- http://www.ordrx.com/developers/ – Ctpelnar1988 Jul 17 '16 at 09:41