Geek Answers Handbook

Credit Card Information Storage

So, I know that there have been many reports about storing credit card information. We are creating a mobile application and want people to be able to enter information about their card once, and not with every purchase.

We looked at Authorize.net CIM , and this is the ideal solution (we just save the profile or token identifier that returns the credit card number) ... but this may not meet our needs, as credit card information is not processed (required) authorize.net , and for any trading account we also send payment. In other words, we want to store credit card information like a wallet ... it is not necessary to process it with Authorize.net every time.

While reading the CIM XML documentation (p. 94), it looks like getCustomerPaymentProfileResponse is masking credit card return data ... so I don’t see how it would be useful for processing if the data is masked?

We have some other options for implementation, but I really hoped that you would have a web interface for managing your billing accounts. Does anyone know of any ways to store credit card information that can be called up on demand to be transferred to any particular compartment processor?

EDIT 4.28.2011 - I am on the wall with this. What if we don’t store credit card information at all, customers must enter it and then transfer it ... how will we do it safely? Do not store it, transmit via HTTPS, encrypt card data during transit?

+8
payment credit-card pci-dss payment-gateway
source share
3 answers

Unfortunately, there is no easy way to achieve this.

As you know, Payment service providers will securely store card data and return a token identifier (so you can reference this data), but they will never be able to return the original card data to you.

This is because the PSP will comply with PCI-DSS compliance. Part of this compliance ensures that card data is transmitted anywhere (for example, to other third parties) that is also PCI-DSS compatible. If they were to return the card data from the storage to the client, then they will need to make sure that the client is also compatible with PCI-DSS (which will largely lead to the defeat of the client’s point using the payment service provider!).

So your options are:
- Work in compliance with PCI-DSS so that you can safely store card data.
- Save the card details to each payment service provider you interact with and save the returned tokens from each.

+8
source share

Stripe does something like this. They process the card data without having to store them and return you a symbolic credit card, which you can then:

  • either make a one-time payment, OR
  • save as a "customer" and then invoice in the future either as necessary or automatically repeating in a way.

There is a good RailsCast for billing with Stripe, which is worth checking out. Very friendly developer.

+3
source share

Edit
I just realized that Authorize.Net CIM is a kind of tokenization service. So you probably know about it. I will stay here, although this may be useful for someone else.

If these sellers / sellers are ready to change their API, I would look at the map tokenization. This is a feature offered by some processors that allows transactions without a card number. The way this works is the first transaction that the user passes his card information to the processor, which passes the token to the seller, which uniquely identifies the cardholder data for this user and the seller, and the user card data is stored inside the processor.

You can then save these tokens and transfer them to payment providers, which in turn will use them to process transactions. I assume that these tokens will be unique to a particular merchant, so you probably have to store 1 token for each supplier / seller for a specific user.

There may be a rule about this where the seller / trader cannot proxy tokens or otherwise get them from a third party. If so, your sellers can provide a new token / pointer, which maps to the token they store internally for use with their map processor ...

Google - Credit Card Tokenization

PCI Standards

PCI-DSS is not a joke, and as long as these merchants / suppliers do not technically need to disclose to their processor that your application stores card numbers, but if they reveal, it can become messy. Any of two things can happen:

  • The provider may be forced to prevent your application from using the API.
  • Your application must be PCI certified
+1
source share

More articles:


All Articles