I'm building an ecommerce site and I was wondering if developers usually use mysql to store credit card information? Or do they use some other service to store credit card information? I want my website to be secure for my users.
I'm no expert at e commerce but one tip I can give you is to purchase an SSL certificate to make a site secure. If you go to a website like amazon, you'll see the URL containing https://example.com during purchases.
https://www.verisign.com/ Verisign is one of the companies that provide SSL certificates. I think amazon uses this as well. Making the site secure for users usually means that user information like passwords and credit cards get encrypted BEFORE it reaches your server.
Use encryption methods before saving the credit card information in your database.
Use third party payment gateway , the will take care of all these.
then you need not to save credit card information in your database.
The short answer is you'll need at least 128-bit SSL, encrypted MySQL, a firewall that's regularly maintained, and strict limits to user access to data.
You're on the right track with database encryption and SSL. If you're an e-commerce site you have two options:
1. You can store credit card information yourself, or use a third party tool to which you transmit collected payment data. An example would be PayPal API or any payment processor.
2. You can let a third party handle all processing, storage, and collection/transmission of such data. An example would be PayPal Website Payments Standard.
The difference in what you'll need to do is huge! If you go with option 1, which means you're involved in any way with the collection of payment information, the storage of this information in a database, or even just the transmission of this information to a third party processing tool, you'll need to be PCI compliant, which has requirements as to what you'll need to do regarding database encryption, SSL, storage, audits, and user access. If you go with option 2, users will leave your website to a special PayPal (or other payment processor's) page, enter their information there, complete the transaction, and only after return to your web site. With this option you do not need to deal with PCI compliance.
In a nutshell, for PCI compliance you'll need to do:
1. Purchase an SSL certificate from a third party that will verify your identity (i.e. GeoTrust, Verisign, etc). Do not generate one yourself or use a free one. All transmission of sensitive information will be done using this secure connection.
2. Use database encryption to store all credit card information, and make sure you have heavy restrictions on user access.
3. Maintain and regularly update a firewall.
4. Monitor your access logs and server logs regularly to make sure nobody has breached your system.
5. Complete audits once in a while from third parties to verify compliance.
6. Fill out some documents to verify your compliance.
7. Develop and maintain a security policy.
There are other small things, but that's the basic summary of what you'll need to do. Good luck!