I'm new to PCI and would like to use Stripe as my payment gateway. They don't charge monthly fees, and have a good php system to send funds from site to Stripe. Right now I know I can allow customers to put in their card information, use Stripe's framework, and allow the card information disappear. That's fine but my question is:
If I want to store card information in a database for using in Stripe's PHP framework, how do I learn to do it legally?
If you use their Stripe Javascript client to send credit card information to them, what you'll be storing in your database will be a token which represents the client and their credit card, not an actual credit card. If you then ensure that the page where you collect the credit card info is served over HTTPS, you should be PCI compliant.
Why would you ever want to do that though?
The beauty of any payment gateway is that you don't have to bother or worry about storing your customers sensitive data, instead you integrate the API with your data layer and consume it as if it was right out of your database.
Stripe provides you with everything you need, their API is very well documented so there really isn't any reason to not be using it in the way I just described.
The simplest way to stay PCI compliant is to never store any card information in any database. Stripe can store the card information for you by using a customer, and attaching card(s) to those customers. You easily access these customers then and charge their card. All you need in your database are the customerId's which keeps you from getting into any PCI issues.
