Storage of credit card data in the database

Asked

Viewed 3,969 times

1

I’m about to incorporate a payment module into my mobile application (I plan to use Moip and in the future Pagseguro). I would like an Uber-style payment system, in which the customer provides his credit card details and these are saved so that later he can pay with just one click.

My knowledge of data security is virtually null, and I would like to know what precautions I should take when storing this data in my database.

I designed the system to not store the CVV code to improve security. But I don’t think that’s enough. Could someone give me some tips or, if possible, give me some material that I can study to develop this "in-app" payment module? Thanks in advance!

security-guard online-payment

  • To hire a specialist. My knowledge is far from being null, I have 35 years of experience with IT and in security I prefer to hire an expert. I’m just afraid that even with all this experience I’ll be able to hire a good one. Imagine if I’m going to risk getting away with something so serious. I find the question too broad.

  • I back up what @bigown said. It’s a very big responsibility to bear alone. The ideal would be to hire a third party to assist with development. I saw in some banks great techniques such as not saving the entire number of the card (hide with **** just leaving the first and last 4 saved), and possibly encrypt the other characters in another table (I did not have access to this table). But ideally someone with experience would do so. A minimal carelessness can cause the ruin of your system and your reputation by dealing with it.

  • 1

    I understand. You are entirely correct. I am the sole employee of a startup. That is, my boss throws everything into my hands. In that case, I cannot take responsibility, it is very dangerous. Thank you very much!!!

1 answer

2


A while ago, before the Mercadopago and of Paying were popular, I worked in a company and they wanted to process payments directly with the operator. At the time the operator said that they could not retain customer card data, and a lot of requirements to be able to integrate with their system. I do not know now what the posture, but anyway, has the following link that has several interesting references as to safety, with the standards ABNT, ISO and others like SOX about: http://mcsesolution.com.br/blog/2016/02/29/padres-e-normas-relacionadas-segurana-da-informao/

See for example this excerpt from PCI (Payment Card Industry), which gives storage security suggestions such as tokerization and cryptography

Tokenization has a similar goal to cryptography, but it works differently. It replaces the card data with data without meaning (a "token"), which have no value for a hacker.

Sources: https://pt.pcisecuritystandards.org/minisite/env2/
https://pt.pcisecuritystandards.org/onelink/pcisecurity/en2pt/Minisite/en/Docs/Small_merchant_guide_to_safe_payments.pdf

Apart from all that, have this post right here in the OS on the subject, I suggest reading: How to Store Credit Card Data Securely?

  • Thank you very much for the sources Ricardo! I have come to the conclusion that I cannot assume this responsibility since I am not an expert in information security and I am the only engineer/developer of the startup where I work. Anyway, thanks! I’ll study the references and talk to my boss about it.

  • @Brenomacena, it’s a good decision, a lot of responsibility, there are good companies that do it, and you’ll always be able to charge them on responsibility for safety

Browser other questions tagged security-guard online-payment

You are not signed in. Login or sign up in order to post.