Encrypt credit card numbers

Assuming the server is PCI compliant, is it good to use phpseclib AES-256-CBC with password and IV as below to encrypt CC securely? Is it enough secure to encrypt CC beside PCI compliance?

$cipher = new AES(AES::MODE_CBC);
$cipher->setPassword($password, 'pbkdf2', 'sha215', $salt, 1000, 256 / 8);
$iv_size = openssl_cipher_iv_length('AES-256-CBC');
$iv = openssl_random_pseudo_bytes($iv_size); 
$cipher->setIV($iv);

In this case, you should ask the company that does the security review of your code for the PCI compliance.

If you want to store the credit card numbers, the requirement for several security reviews of the codebase per year is just one of many. You will need a separate internal network of servers that the information is stored on, these cannot be connected directly to internet, and need to be behind a firewall. The servers connected to internet, will then connect to this network on a secondary network card.

With other words, encrypting the credit card number is not enough to make you PCI Compliant and doing so is violating the rules, and can get you or the client banned from processing cards in the future, not to mentioning receiving a huge fine if it is noticed.

1 Like

As the credit card info can only be stored on a computer without a direct internet connection, anyone with direct access to the encrypted versions of the credit card numbers would also have access to the code needed to decrypt them.

1 Like

So what about using RSA instead of AES, and clients can enter CC on site and will be encrypted with public key and stored on the website, then admin can decode it with private key offline? make sense?

that is illegal - you are not allowed to store credit card info in any format whatsoever on a computer connected to the internet. The computers you are allowed to store it on will only be accessible to your staff members who maintain the local network you are storing the information on.

1 Like

IMHO not worth the risk to not use a third party, “expensive” or otherwise/
Better to chalk it up as a business expense

Q: What are the penalties for non-compliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure.

http://www.focusonpci.com/site/index.php/pci-101/pci-noncompliant-consequences.html

Breach Consequences- Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant.

  • $50-$90 fine per cardholder data compromised
  • Suspension of credit card acceptance by a merchant’s credit card account provider
  • Loss of reputation with customers, suppliers, and partners
  • Possible civil litigation from breached customers
  • Loss of customer trust which effects future sales
2 Likes

Thanks for all advices. I hope you note that I am NOT going to ACTUALLY store cc, these all questions are just for my learning and I asked them just for educational purposes! :slight_smile:

I see shopping cards like WHMCS, eCommerce, AWBS, have feature to store the CC cards in their database for offline processors, is this feature illegal in such softwares as they cannot be used without internet connection?

The fact that a software has included this as a “feature”, does not mean that it is legal to use it.

It is just like the store can in many countries legally sell you a radar/laser detection device, but you break the law if you use it.

It’s legal until you get in trouble.
If you store cards and somehow (like magic) your clients wake up in the morning and check their empty accounts, well… it will not be legal any more :smile: You will need to return some money. So, good luck with that.

LE: Sory about the late post, didn’t pay attention to the date.
However, the advice remains: do not store, use a service.

1 Like

Since this topic was revived, let me correct the answer to this question. You cannot tell from a user interface on the web that asks for a CC, where the CC is stored. The PCI requirement is that the CC will not be stored on a computer with internet access. The compliant solution is that web server that collects the CC hands it off to a database server that does not have internet access, which may be your own DB server or a third party payment processor.

If you do not know what PCI compliance version that is required to store credit card numbers, and what requirements it has, then dont write a post saying something it is compliant when it is not.

There is several other requirements that has to be fulfilled to store credit cards on your own database server, than just that it should be on a local network (not connected to internet).

In short, for everyone that read this use a third part payment processor. It is very expensive to get and obtain the PCI compliance you need to store the card information on your own servers.

[quote]If you do not know what PCI compliance version that is required to store
credit card numbers, and what requirements it has, then dont write a
post saying something it is compliant when it is not.[/quote]
My post was not intending nor did it state anywhere what the rules for PCI compliance of a database server were. I was simply correcting a post that said that if a credit card number was entered online, then the system was illegal. It is not known to be “illegal” simply from that, and can be perfectly PCI compliant to do so.

That’s all I stated.

It is illegal.
It’s like you’re driving without a license. We do not know that you do not own a license but if you get into an accident you go to jail. However, what you did (driving without a license) was not legal and if a cop stops you and you do not have a license… guess what: you go to jail.

[quote]Q: What are the penalties for non-compliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.[/quote]

Ah, so it’s your take that PCI will shut down eCommerce once they get to Amazon, eBay, and every other online presence that accepts and saves credit cards. I’m sorry, but you’re just wrong.

PCI DSS SAQ-D is the self-assessment questionnaire that kicks off the audit process for (typically large) merchants and those who save credit card numbers. This questionnaire is at https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf and Requirement 3 is titled “Protect Cardholder Data” and has a bunch of questions regarding how such data is stored, encrypted, keys managed, etc. It states that “…the full contents of any track from the magnetic stripe or equivalent data contained on a chip…” may not be stored after authorization, but that “in the normal course of business, the following data elements from the magnetic stripe may need to be retained: The cardholder name, Primary account number, expiry date, service code”. Those elements are exactly the ones users consider their “credit card number”.

Again, I never said it was easy to pass PCI compliance, but it certainly is not “illegal” to store credit card numbers.

This thread is too much old, instead please advice for this one: Which SAQ type do I need to fill in?
Just to clarify it that when my script ends, cc info will be destroyed too, nothing will be saved on my side, just instead of stripe,js I am using the PHP tockenization then I can get BIN number to pass it to MaxMind.

Please advice.