We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Storing credit card details

April 08, 2011 8:02am

Subscribe [3]

  • #1 / Apr 08, 2011 8:02am

    Sam Sullivan

    64 posts

    Hi,

    I have been building a shopping cart website (with the excellent Cartthrob) and at registration there’s an option for customer to store their credit card details, which are then stored as Custom Profile Fields in the customer’s member account.

    Is this the most secure place to keep them? and is there anything you would recommend I do anything other SSL to make these details safe?

    thanks,

    Sam

  • #2 / Apr 08, 2011 7:05pm

    Sue Crocker

    26054 posts

    I don’t have a suggestion for you on this one.. what do the CartThrob people have to say on the issue?

  • #3 / Apr 09, 2011 12:01am

    Jason Morehead

    456 posts

    FWIW, I’d recommend that you do NOT do this. AFAIK, there’s no way to encrypt/encode the contents of a custom profile field, which means that the credit card numbers would not be stored securely in the DB. Which opens you (or your client) up for some potential liability. At the very least, I think this means that you would not be PCI compliant.

    I recently build a site using CartThrob, and at most, it’ll store the last 4 digits of the credit card number as part of the order. More info here:

    Like most ecommerce systems, CartThrob was built with security in mind, and can be made secure simply and effectively. At a minimum, nowhere in CartThrob’s system does it store any raw credit card data at any time. Numbers, magnetic stripe data, primary account numbers, and CVV2 numbers are not stored natively by CartThrob.

  • #4 / Apr 09, 2011 8:13am

    Sam Sullivan

    64 posts

    I kind of thought so, seemed too good to be true.

    I’ve just found this in the Cartthrob settings:

    Last Four Digits Storing entire credit card numbers is not a safe idea, and not PCI compliant. You may store the last 4 digits of a credit card for future reference and still maintani PCI compliance.

    Along with info from https://www.pcisecuritystandards.org I reckon it makes perfect sense not to open us up to risks.

    I was after an easy method for customers to re-order, although, only having to add their card numbers at checkout is not too much of a drag, as their address details will still be stored on the system.

    Thanks again, and I’ll stop thinking I can afford the security Amazon has on offer!

  • #5 / Apr 10, 2011 9:47am

    Sue Crocker

    26054 posts

    Thanks for the assist, Jason.

    Sam - Feel free to start a new thread if you have any more questions.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register