Sending Credit Card/SSN through email... bad idea?

Ok, I have designed a web site for a client of mine that does Rental property management. She wants customers to be able to apply online for properties, which requires them to enter a SSN and Credit Card info so they can charge them an application fee. Then she wants that info emailed to her. I have the form created, and it emails fine, I just post the data and use an email class to send it all that works well. But I didn’t want to activate it till I got a more experienced opinion on this. I feel really uneasy about emailing that data. I’m using an SSL connection with the script (don’t know how much that will help) but I am really new to php security. I’ve been programming with php for a while now, but I havn’t dealt with any e-commerce or important info such as this. Any tips on if this is do-able or if I should take another route, OR if I should just can it all together and make them pay at the office (which is an option). Please let me know ASAP cause the site is going to be online soon. Thanks in advance!


Very very very bad idea, don 't do it.

SSL is all fine and dandy but sending them trough email is a nono, as logic_earth says.
In many states, storing the SSN in plain-text like that is illegal. In fact, you should never store/send a SSN in plain-text to begin with.

If your client wants to charge them an application fee, you can either make the client do it manually through her merchant account or setup a payment gateway such as to do it upon form submission. You can also setup to do an AUTH on the credit card, which only verifies it. Your client then has 30 days to CAPTURE the transaction (charge the card).

As for storing credit card information, see this pdf.
Wherever you store the credit cards must be PCI compliant, or you/your client will probably be risking major fines and revocation of her merchant account.
As for SSN, do your research and investigate your state’s Privacy laws.

Explain to your client that writing cc no. in an email is about as secure as writing it on a postcard, worked for me in the past.

Thanks for the quick replies everyone. I’ll probably just have her use paypal or something instead. So the problem isn’t really “passing the data” but just the fact that is stored in plain text sitting in someones email? Is it possible for people to “catch” and outgoing email or something from the site? Or is that highly unlikely?

I think paypal is a safe bet. Or you could contact this person on the phone…

In some countries, this would probably be illegal. In general, do make sure that you understand the legal ramifications of capturing, and subsequently transmitting this kind of sensitive data, before you get yourself into a nasty situation.

At least an ethical point of view, I wouldn’t feel comfortable providing just any old transport/collection/storage of such info. Nor would I feel comfortable giving it to them in some type of volatile insecure container like a text file, even if transport and collection was solid. I would freak out if I knew my SSN or credit card number was on the typical users computer. Soooo many people have viruses and keyloggers and all kinds of junk on thier computers. They don’t know any better, but you do.

Collecting sensitive and valuable info like SSN or credit card numbers on a shared webserver is just asking for it. It doesn’t matter if you choose not to store the data on the server. It really needs to be vps or dedicated. Other users on your box with filesystem access can change config/files to listen in on your scripts, from the inside. Usually pretty easily too…

I think by taking a firm stance about the importance of secure handling of such data, and offering alternate solutions, you can do the right thing here, and your client will probably even treat the info with more respect once it eventually does get into thier hands.

It is now very illegal in the United States to store information in plain text! Even if you use the phone and store the card on file it’s still illegal. You can be hit huge with penalties - especially if something goes wrong. Finding a payment gateway (like PayPal) is a VERY good idea. The small hit in fees is likely to save you a lot of money should something go wrong!

If it is supposedly illegal, can you point me to the specific title/section of the U.S. Code? The US doesn’t have strong privacy laws and this sounds like one of those law rumors. The biggest risk about improperly storing personal information is that you will lose your contacts with third parties (payment processors, banks, etc.).

But on the subject of the thread, yes, it is a very bad idea as many have stated.

No idea if it’s illegal according to the US Government, but some states do enforce protecting personal information, such as North Carolina.

In the US, I know you do have to be PCI compliant though (if storing CC information).
Read this first.
See this article, pay attention to [url=,295582,sid97_gci1337635,00.html#question9]question 9.

That’s ridiculous. Its not illegal to store information in plain text.

Off Topic:

There is nothing secure about credit cards to begin with. My CS professor did a lecture on credit card fraud and identity theft last semester and I was shocked at how simple it was to get the credit card information and a persons full identity from the magnetic strip on a credit card. And everything you need to know about retrieving the information is in the code of federal regulations. >.>

Yeah I doubt storing someones credit card / personal info is completely illegal. I understand there is probably some sort of requirements, but if it was so illegal then how does my school have my social security and debit card number sitting in their file cabinet right now.

This is an interesting topic though, because eventually I want to program a website that will handle credit card numbers and money transactions (big idea a friend and I have), but obviously it probably won’t be online for over a year or so cause I’m sure there are a lot of laws that we need to research and I need to start learning more about security. I would hate to hear about a bunch of (my client’s) clients getting their info stolen and have it be on my chest that I could have done something about it before hand… I told my client what the situation was and she hasn’t responded specifically to that topic yet, I’m sure she will understand though.

That is not completely correct. You need to be PCI Compliant to even process credit cards through a merchants API system.

However, the PCI Compliance level you need for that is lower than what you need for storing credit cards. There are multiple PCI Compliance levels, all after how you handle the creditcard data and on the number of transactions you do.

If your school store that on a piece of paper, then they are breaking the law/rules. The fact that someone else do it, does not make it legal.

For processing credit cards, its not a problem just get a merchant account and use their API service. That way you get away with the lowest level of PCI Compliance.

To my knowledge, PCI compliance has no bearing or relation to US law. It’s part of the contract you sign with your payment processor / bank.

I’m not sure that US law has any provisions of this nature. We’re not very strong in privacy laws.

So its illegal to store a CC number on a piece of paper, but not illegal to store it on a server some where?

I understand that just because somebody else does it, doesn’t make it legal. But you would think that if a university did it they would probably want to do it right, or why arn’t they caught by now… so if it is illegal and they DO store it on a piece of paper somewhere, the government must not care that much.

The PCI Compliance is as you mentioned enforced onto you by the credit card companies.

Though most probably there is a law that can be related to it as credit card would be considered personal information in US as well. At least we a law that can be used against storing personal information unsecure in Norway.

To be able to store the CC information on a server you need to have the highest level of PCI Compliance. This entails that the server where the CC information is stored on has to be on a local network seperated from the internet. It has to follow specific security mesures, and those has to be tested at set intervals etc. So unless your a large organization, doing this would cost way too much. This is the reason most companies let their merchant company handle this aspect.

Also keep in mind that you are not allowed to store the cvv information at all.

For your second question, remember there is two kinds of laws. One that apply to us normal people and one that apply to the goverment/state. The last one and people working for the last one can sometimes get away with the most amazing things which would get others put in jail for a very long time.

Debating whether or not storing the information is legal or not is irrelevant, given that the credit card companies have legal standing to impose severe penalties on you, and all involved in a breach if security procedures are not followed. Considering the penalties involved, ANY developer would be a fool to store that information, without the proper PCI compliant security measures in place. Anything else is playing with fire.

I understand that debating on the topic of storing a CC number is irrelevant to the topic, I came to the conclusion long ago that I wasn’t going to email a CC number or even store one in a database at this point. But I just thought it was pretty ridiculous that people are throwing out comments that it is completely illegal to store a cc number…

You are right in that there is no security on a credit card. Unlike a bank card there is no encryption on the magnetic swipe. However, read the following article. It is both true for your employees and your customers.

New Identity Theft Law Creates Lawsuit Threat For Small Businesses
Press Release June 13, 2008

(June 11, 2008) - In an effort to combat Identity Theft, the final provisions of The Fair and Accurate Credit Transactions Act (FACTA) expand the Identity Theft component of the Act. According to these new provisions, companies that haven’t taken “appropriate measures” to safeguard information from Identity Theft can be sued and face not only civil, but criminal penalties. TLV Group’s risk and compliance division is focused on helping smaller businesses comply with these provisions in a timely and cost effective manner.

“This law exposes smaller businesses to bet-the-company litigation risks that are onerous and can be mitigated with proper planning,” says Lisa Vann, Vice President of Operations for TLV Group.

As stated in the Winter 2007 issue of Texas Business Today released by Texas Commissioner Ron Lehman, “Simply put, if data aiding an identity theft originates from a security breach at your company, you could be sued, fined, or become a defendant in a class-action lawsuit by affected employees whose personal information has somehow gotten out.”


These are fairly new laws that have come into effect. I heard a lot about it in the summer of '08 as they were then being prepared to come into effect (if I remember correctly). Many small business podcasts (including Wall Street’s) spent time on this issue.