Storing partial credit card numbers

后端 未结 7 1739
灰色年华
灰色年华 2021-01-30 18:25

Possible Duplicates:

  1. Best practices for taking and storing credit card information with PHP
  2. Storing credit card details
  3. Storing Credit Card Infor
相关标签:
7条回答
  • 2021-01-30 18:38

    If you don't need to store the whole credit card number, why do you need to store it at all? If you want to save the financial institution that issued the card, why don't you store the financial institution that issued the card?

    0 讨论(0)
  • 2021-01-30 18:43

    March 2013 Edit:
    A very pertinent resource is the PCI Security Standards Council, an organisation founded in 2006 by five of the biggest global Credit Card brands (AmEx, Visa, MasterCard, JCB International and Discovery) and which is the de facto authority on Security matters for the Payment Card Industry (PCI).
    This organization publishes in particular the PCI Data Security Standard, currently in its version 2.0 edition which covers issues such as the management of complete or partial credit card numbers. This document if freely available but requires a simple registration and acknowledgment of license terms.

    The following is the original, c. 2009 answer, mostly correct but apocryphal.
    A common practice (whether legal or not I do not know) is to store the last 4 digits, as this may be used to help the customer confirm which of his/her credit cards were used for a particular transaction.

    Without significantly improving the odds of a malicious person guessing the complete number, one can store the first 4 digits which are representative of the financial institution which issued the card, as mentioned in the question.

    Do NOT, save many more digits than these 8 digits because otherwise, given the LUHN-10 checksum, you may provide enough info to make guessing the complete number more plausible (if still relatively hard, even with insight from the series used by a given issuer, in a given time period, but one should be careful...)

    To make this whole thing safer, technically and legally, you may consider only storing such info if the customer explicitly allows it. You should also consider masking this info with a simple hash for storing in the database.

    Also, what you can / should store following a particular transaction, is the transaction ID supplied by the Credit Card Processor, at the time the transacton is submitted. This ID is the key that allows locating most (all?) of the info you would even need, would there be any issue with a particular transaction. This type of info can typically be queried from a secure web site maintained by the Processing company, along with some aggregate reports which may include a grouping by card-type (Amex, Visa...) if that is why you are thinking of storing the first four.

    0 讨论(0)
  • 2021-01-30 18:44

    The credit card companies have a standard for this. You'll probably find it buried somewhere in the terms of service of your payment processor that you will obey this standard. It answers you questions. You can find the standard here

    0 讨论(0)
  • 2021-01-30 18:51

    Your specific question is answered in sec 3.3 of the PCI/DSS document. First six and last four are max for display. Customer (paper?) receipts are more restrictive. Those with a legitimiate need to know can see full card data.

    My recommendation is to contact your merchant provider and see what options are available to you. A number of the modern transaction gateways have "vault" features where sensitive information is stored at the provider and you simply reference customers by a token number when you want to bill them or check account information.

    Along the same lines use of transaction specific tokens can be used to reference needed data stored on the providers system.

    However I can't stress enough the importance of reading and understanding PCI DSS. Simply punting secure storage does not magically obsolve you from being subject to PCI compliance requirements!! This is only possible when your system never touches full card data.

    0 讨论(0)
  • 2021-01-30 18:53

    The accepted pattern is don't store them at all.

    In certain jurisdictions you may be breaking the law by storing them or any part of them.

    You could instead, store a one-way (and therefore unrecoverable) hash of the credit card number.

    0 讨论(0)
  • 2021-01-30 18:54

    Here in Canada, the usual way is to store the first 4 digit ( to identify the financial institution) and the 4 last digit to identify the credit card.

    But be sure that you didn't break any laws.

    0 讨论(0)
提交回复
热议问题