7

I am working on an application in which it is required to store whole credit card numbers. Is this possible to do using any API?

I have read about Authorize.net's Customer Payment Profile option, but it gives only last 4 digits when you try to retrieve that payment profile.

I have also checked Braintree's v.zero API which gives first 6 and last 4 digits and also Stripe's customer creation option but it also gives only last 4 digits.

If there is no API available, the only way to store credit card numbers is to store those in house using PCI DSS??

Saurabh Rane
  • 126
  • 1
  • 1
  • 9

2 Answers2

15

Disclosure: I work for Stripe

Yes, the ONLY way to store customer card information in-house is to do so in a PCI-compliant system. Any place you store them, and any way you handle them, MUST be PCI compliant.

One of the biggest gains from using a payment processor, like Stripe for example, is that they take care of the (very, incredibly, terrifyingly) hard work of PCI compliance for you. As part of that commitment, they're not going to release those credit card details that they work tirelessly to keep secure.

If you're willing to go through the rigors of becoming - and remaining - PCI compliant, you could collect and store the card numbers in a PCI-compliant way and use Stripe's API to create the card [0] and then make the charge. Do note that you MUST be PCI Compliant to make use of Stripe's API in this way, or you will be violating the Terms of Service.

If you can more fully explain what the application will be doing with the stored credit card numbers, maybe someone can suggest an alternative approach that doesn't require actually storing the card info locally.

[0] https://stripe.com/docs/api#create_card-source-number

floatingLomas
  • 8,553
  • 2
  • 21
  • 27
  • Is not the token basically a valid credit card identifier, and by so, makes PCI compliance required anyway? – jonathancardoso Feb 02 '17 at 14:41
  • 1
    No, the Token ID is a random string. Its mapping to actual card details is handled within Stripe, and the token is meaningless without your API keys. – floatingLomas Feb 02 '17 at 19:22
  • Stripe fails to calc the card charge % up front, for example in AU there are TWO rates, one for local cards, one for intl cards, so as stripe have FAILED to provide a way for checking this, causing thousands of businesses to BREAK the law due to technical implementation (that could EASILY be done), then it is NECESSARY under new laws to find the rate you charge, so you NEED the first 6 digits to look up the origin of the card. We don't store first 6 digits, We do store level of card and country of issue, for fraud and to calculate above as Stripe fail to do this. – Dawesi Mar 04 '18 at 22:47
  • so as long as you don't store the info, then PCI compliance is unnecessary as long as you destroy the data in memory after doing lookups to work around the flaws in stripe's system. Stripe are not the only gateway with this issue, many US gateways don't have the implementation in line with AU and other laws. (aka in AU, we can't use stripe as it forces us to violate the law - aka charge intl rate in case that card is used) – Dawesi Mar 04 '18 at 22:49
  • @Dawesi I think you probably want to reach out to support here: https://support.stripe.com/email/login – floatingLomas Mar 06 '18 at 01:55
  • Is it okay to save only one digit locally? – OhhhThatVarun Oct 04 '19 at 14:03
  • Does Amazon use Stripe for their payments when we buy something on Amazon.com? If not how do you think they store online payments' data of their customer? As far as I know, they happen to remember the payment information you entered when you bought something on their website... Thank you! – tonix May 31 '20 at 10:42
6

Never under any circumstance store customer credit card information. Explain why you think you need that; the Stripe API can probably do what you want. For example, if you want to make a recurring charge to a customer who made a previous payment to you, use a customer subscription.

Never under any circumstance store customer credit card information. If Stripe catches you trying to do that they will probably ban you. This is good, because if Stripe doesn't catch you, criminals will. Criminals like the kind that extracted credit card information from Target and Walmart.

Dour High Arch
  • 21,513
  • 29
  • 75
  • 90
  • First 6 digits indicate card type, and bank and card level (aka fees level of card) This is very important to know what you are being charged. This is now becoming more and more common practice, especially in Australia where new laws prohibit charging excess fees on credit card transactions. Personally we don't store the number, we just use the number to obtain the details, then discard the number. This way the risk is much lower (and your business insurance will be lower) – Dawesi Mar 04 '18 at 22:37