4

What if I stored encrypted credit card info in the browser's localstorage? When the user visits the site again, the credit card field is prepopulated by Javascript. The form itself points directly to a payment processor, so credit card info is never transmitted to my server.

Of course, my site and the payment processor's site are accessed via https.

Is this PCI compliant? Is this a bad way to do things?

ty.
  • 10,924
  • 9
  • 52
  • 71
  • 1
    I think it's a bad thing to do *if you don't notify the user* that you're doing it (and probably let them opt out). I'll let others argue about whether it is PCI-compliant. – iconoclast Jan 07 '13 at 19:05
  • 1
    Note that Google says its a bad idea. See **LocalStorage is Not Secure Storage** section in https://developers.google.com/web-toolkit/doc/latest/DevGuideHtml5Storage – surj Jan 14 '13 at 21:25

3 Answers3

2

I am not certain that falls under the pci-dss regulations. Storing customer data in potentially hackable files is the big concern.

Mike
  • 21
  • 1
  • By this I assume you mean hackable and *on a server*? Anything on the client's machine *is* ***potentially*** hackable, although I suspect you may be right that they don't cover data stored on the client's machine. – iconoclast Dec 30 '12 at 21:20
1

Not sure about PCI compliance, but you can also store credit card info in a HTTPS-only cookie.

sanmai
  • 29,083
  • 12
  • 64
  • 76
1

Since the card # would essentially be stored on the client's machine, then (with my interpretation of pci-dss) you have no way to restrict or monitor access to that data even though its encrypted. Sounds to me to be non-compliant.

belwood
  • 3,320
  • 11
  • 38
  • 45
  • This sounds more like a contradiction of Mike's answer. – iconoclast Dec 30 '12 at 21:18
  • Mike says it is out of scope for the PCI regulations and you say it is non-compliant. That's almost the opposite. Out of scope means it wouldn't affect compliance. – iconoclast Jan 03 '13 at 23:20
  • Thanks! Mike's first statement clearly didn't register in my brain -- I've edited my answer to suit – belwood Jan 07 '13 at 18:59