2

I am researching on the available options for storing card information and I think that mobile app like FoodPanda do not really store the full card information in their database. Do they use 3rd party services to store the card information and make payment?

Does Authorized.net for example provide such services to store card information and make transaction when the card ID is provided to make payment?

John Conde
  • 217,595
  • 99
  • 455
  • 496
Norman
  • 387
  • 2
  • 11

2 Answers2

2

You would have to ask FoodPanda what they do as we won't know. Many companies store credit card data despite the risks and the amount of effort it takes to secure it.

Authorize.Net offers a service called Customer Information Manager which allows businesses to store credit card details on their servers as a payment profile (they also offer saving billing and mailing addresses). You then are provided with a payment profile ID which you can refer to in future transactions. So when you want to make a payment against that credit card you simply provide Authorize.Net with a the payment profile ID and they will charge that credit card.

John Conde
  • 217,595
  • 99
  • 455
  • 496
1

Most apps/websites are not allowed to store card information due to PCI compliance restrictions, which require a QSA SAQ compliance in order to store full credit card numbers.

Most payment gateways allow an alternative to storing card information which is called Card Vaulting. Card Vaulting allows an application/web site to send an encrypted credit card data which is stored in the payment gateway DB.

Autorize.net calls this feature Customer Profiles.

Usually, when a returning shopper wants to place an order, the application/web site requests the list of all the vaulted credit cards associated with that shopper. The retrieved data does not contain full credit card information, but contains the last-four-digits of the card and the card brand only. Autorize.net API allows retrieving these customer payment profiles while returning only the allowed data in the response (Get Customer Payment Profile API Documentation):

<getCustomerPaymentProfileResponse xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <messages>
          <resultCode>Ok</resultCode>
          <message>
             <code>I00001</code>
             <text>Successful.</text>
          </message>
       </messages>
       <paymentProfile>
          <customerType>individual</customerType>
          <billTo>
             <firstName>John</firstName>
             <lastName>Smith</lastName>
          </billTo>
          <customerProfileId>39598611</customerProfileId>
          <customerPaymentProfileId>35936989</customerPaymentProfileId>
          <payment>
             <creditCard>
                <cardNumber>XXXX1111</cardNumber>
                <expirationDate>XXXX</expirationDate>
             </creditCard>
          </payment>
          <subscriptionIds>
             <subscriptionId>3078153</subscriptionId>
             <subscriptionId>3078154</subscriptionId>
          </subscriptionIds>
       </paymentProfile>
</getCustomerPaymentProfileResponse>

Notice how the credit card data is returned:

         <creditCard>
            <cardNumber>XXXX1111</cardNumber>
            <expirationDate>XXXX</expirationDate>
         </creditCard>
Tomer A
  • 453
  • 3
  • 14
  • 1
    Thanks for the details explanation! It is really useful to me and I will look into this direction. – Norman May 16 '17 at 01:26