I made an website which i require of the user to enter their credit card details for virtual money transfer inside the website only. I only take the first two numbers of the card in order to detect the Card Type and i take last four because of the UI design.
Is there any chance i can get in trouble with this? If so, is there any recommendations to escape those?
P.S: I know is off-topic but i would be glad to find this out.
Jump to PostYes, you can get in trouble. There are very strict guidelines that dictate which entities are permitted to store credit cards in their database, or even under which circumstances you can collect credit card information.
A set of standards called PCI DSS (Payment Card Industry Data Security Standard) specifies who, …
Jump to PostWhat about letting them input what you need to know upfront rather than trying to divine the information?
I take it you get this information over HTTPS then never store such in the databases. If you do store it's with one way encrypted plus salt just like everyone does with name and password.
Now moving on to get in trouble, what does your lawyer say?
Yes, you can get in trouble. There are very strict guidelines that dictate which entities are permitted to store credit cards in their database, or even under which circumstances you can collect credit card information.
A set of standards called PCI DSS (Payment Card Industry Data Security Standard) specifies who, what, where, when, and why businesses may collect and store credit card information.
You may consult an attorney (and pay for it!) if you feel like you need more help understanding. However, if you are a business that accepts credit cards, it is your responsibility to be aware and keep yourself updated of all of the PCI DSS requirements and to ensure that your business is taking the necessary steps.
In my case, my credit card merchant audits me on a regular basis to ensure I'm in compliance.
This is not something you should need to hire a business / finance attorney for. Even if you are having difficulty understanding the PCI website, there are people who work at your credit card merchant who should be able to work with you to explain the exact requirements you need to be in compliance.
You can get more information at https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
If you have questions, I would begin by reaching out to the PCI Compliance division of your credit card merchant. (Stripe and Braintree are the two popular ones for online processing.)
Okay! After a lot of research and talking with an lawyer, i came with a conclusion that I should not ask for the user Credit Card details.. Instead to ask for the IBAN number, to detect the Bank name of the user and country, with this even if i want to i cannot abuse that number after all, since is only to receive money. So do you have any knowledge in this field on how can i detect the bank name? Or is there any ready to use PHP function/code about this. Like i said i would like to detect the Bank Name and the Country of the user for UI experience purposes. Is that possible?
Thank you for the reply
What about letting them input what you need to know upfront rather than trying to divine the information?
@rproffitt I want to test my skills in UI and thats why i want to be this way :)
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.