Hi all,

I just want to ask how I can safely store credit card information in a database. My website only needs the information one time, but I can’t decide if I should store the credit card information in the database. I think I only need it one time, but I was thinking of a scenario wherein user will change his/her credit card info. >_<…any tips would help me a lot. Bdw, my payment scheme is recurring via PayPal Payment Pro.


8 Years
Discussion Span
Last Post by nelixinc

By the card association it isn't allowed to store card information other then part of the credit card numbers if it is encrypted and you are PCI compliant....

You can read much more about this topic at the official website about PCI compliance and card holder data protection, here is the link : https://www.pcisecuritystandards.org/


If users check a box, such as on amazon, to "remember" their credit card information for future purchases, it is OK to store the information. It should be stored in a hash, including the CC# and expiration date. You should never under any circumstance store the CCID number.


Yep it is okay, but still, if you store ANY credit card information what so ever, you have to be PCI compliant.... so care about it else it will cost you huge fines if something goes wrong.


I'm still not at-ease in giving credit card information through the net, and any personal information whatsoever. How safe are the safety "nets" you are referring to here? Might be useful in my future dealings though.


As long as the websites and the server it is hosted on is PCI compliant, and the compliance is maintained on a regular basis, then it is safe to key in your credit card information and other personal information.

Many websites will redirect the card holder to a “shared” or “secure” payment form which is hosted at the payment gateways end, and which (if the PSP is PCI compliant) is secure. In some cases and on large web shops it is sometimes of benefit for the website owner to integrate their website directly with the payment gateway which keeps the card holder on the website which then again will leave the card holder get a better experience in some cases.

However, since PCI hasn’t reached all websites and web shops on the Internet, then you will still find places which don’t redirect you to a secure payment form and which aren’t PCI compliant. This websites are unsecure and you should avoid them for any price. If they for any reason are unable to obtain a valid PCI certificate then you can be assured that it isn’t safe to enter your credit card information there.

I have seen many cases, where those website owners want to have the card holder to be kept on the Website/web shop without being redirected to any secure payment form, due to a more professional look and various other reasons, as they explain.

I even heard that some want to store the card information because they want to use it for marketing and fraud prevention. However at the end of the road they didn’t care about the security, people think that just because the card information is encrypted then it is safe to store it, to those people, you are SO WRONG, it take so much more to get the proper security implemented to avoid any security breach or even avoid hackers to get the information. It is a task which many think they can overcome but they quickly see that it will cost a few bugs to get it done and because of additional expenses they just leave it and pray that nothing happens or even just don’t care about it.

It isn’t that expansive for a website owner to get compliant and have the proper security and patches applied to your server, and you can find some low cost providers like hackersafe which will help you to be and stay complaint. In my opinion a few thousand dollars should be worth it.

Many people will try to tell you other stories and have found the key to a short cut, don’t believe them; you have to follow the PCI compliance regulations which I already provided a link for.


I'm still not at-ease in giving credit card information through the net, and any personal information whatsoever.

I'm with you -- I don't buy anything on the net unless that's the only way to get it. There are just too many instances of where huge company databases have been stolen by credit card thieves. If the datase is available on the net then its not safe.


Some gateways will allow you to tokenize an initial transaction and use that token to run subsequent transactions. For example, you run an initial auth of a credit card for $1, and return a token that you store in your database. You immediately discard the credit card information. Whenever you need to run a transaction for a particular customer, you reference that token to run the transaction.

This allows you to rebill past customers and setup "one click" purchases for your customers. At the same time, you no longer store credit card information in your database. You don't have to mess with credit card encryption, and at the same time you satisfy many of the PCI requirements by simply not storing credit card information.

Our gateway supports this (you can read more at www.transaxdevelopers.com) and we have example integration in a number of databases (www.transaxdevelopers.com/flexport).

I hope this helps!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.