I have an application and the customer needs the app to store the user's credit card details.
Where should I store it?
Asked
Active
Viewed 4,423 times
8
-
11Actually you shouldn't. – Mikko Viitala Feb 08 '15 at 22:02
-
3It is a very bad idea to store it unencrypted. A safe approach would be to encrypt it using a key which will be entered by the user in order to decrypt it – Dimitris Fousteris Feb 08 '15 at 22:06
2 Answers
13
Use a payment gateway that supports tokenization, and store the token instead of the actual card info. If you must store the card info, store it in a SharedPreferences file, encrypted with a PIN that the user must enter for every transaction. Do not store the PIN anywhere; attempt to decrypt the card info as needed using the PIN supplied by the user.
The PCI standard expressly forbids storing the CVV in any manner, so all transactions will have to be run as card-not-present. (Another advantage of tokenization: you may be able to get card-present rates.)
Kevin Krumwiede
- 9,868
- 4
- 34
- 82
6
Never store sensitive information on the device, even if it is encrypted! Its a child's play to peek into shared preferences if the device is rooted.
Either use a payment gateway or send the data to the server after encryption for storage.
Kartik
- 7,677
- 4
- 28
- 50