I want to allow my customer users to enter their credit card information so that I can charge them every month.
我想允许我的客户用户输入他们的信用卡信息,这样我就可以每个月向他们收费。
I wonder how one should save this information?
我想知道如何保存这些信息?
Should it be saved in the MySQL database ("user" table) or is this kind of information too sensitive and need to be stored in another place?
它应该保存在MySQL数据库(“user”表)中,还是这类信息过于敏感,需要存储在其他地方?
I have no experience of this and would be glad if someone could advice me how to accomplish this.
我没有这方面的经验,如果有人能建议我如何做到这一点,我会很高兴。
Thanks.
谢谢。
3 个解决方案
#1
75
As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.
如上所述,不要在数据库中存储信用卡信息。这是制造麻烦的方法。这样做会使你成为黑客的一个非常有吸引力的目标,如果他们成功地找回了他们,结束你的生意,可能会毁掉你的生活和那些信用卡号码被盗的人的生活。
Having said that here are three things to consider:
说到这里,有三件事需要考虑:
1) Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.
1)您最好的选择是使用提供重复计费的支付处理器/支付网关。授权就是一个例子。Net的自动循环计费服务。一旦您设置了订阅,他们将自动为您每月向用户收费,并让您知道事务的结果。它为您节省了大量的工作,并免除了您存储信用卡信息的责任。
2) If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).
2)如果你确实存储了信用卡号码,你必须遵守PCI指南。这些准则是由支付卡行业制定的,并定义了你能做什么和不能做什么。它还定义了必须如何存储信用卡信息。您将需要加密信用卡号码,您应该,但不需要加密相关信息(截止日期等)。您还需要确保您的web服务器和网络是安全的。如果不能满足PCI的要求,将导致您的商户帐户丢失,并被禁止永久拥有真正的商户帐户。这将限制您使用不太灵活的第三方处理器。请记住,PCI指南是一个良好的开端,但当涉及到在线安全时,它并不是“如何”。你的目标是超过推荐(很多)。
3) States laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.
3)国家法律取代了PCI的遵守。如果你被侵入,信用卡号码被盗,你将面临被起诉的风险。各州的法律各不相同,而且不断变化,因为立法者才刚刚开始认识到这是一件多么严重的事情。
As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).
至于加密,请确保您阅读了哪些加密算法是安全的,而且还没有被破坏。Blowfish是一个好的开始,如果您使用PHP,建议使用mcrypt库(示例)。
#2
15
The safest way is to NOT store the credit card information on your system, but let a 3rd party payment provider do it for you.
最安全的方法是不将信用卡信息存储在您的系统中,而是让第三方支付提供商为您存储。
#3
6
It's not required that you use a 3rd party payment provider like PayPal, etc. – but you need to be PCI compliant if you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI compliance to grasp how serious it is to be PCI compliant.
不要求你使用第三方支付提供商如贝宝等-但如果你要存储支付卡信息,你需要符合PCI。请阅读这篇关于BC渡船的文章,这些渡轮因不及时遵守PCI规定而面临巨额罚款,以了解遵守PCI的严重程度。
My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.
我现在的雇主正在遵循PCI—这不是一个简单的过程,需要员工进行审计。强制执行取决于国家和州/省的法律——加拿大IIRC要求你被PCI职业委员会认证为PCI,而美国的一些州允许PCI合规审计公司为PCI委员会提供服务。
#1
75
As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.
如上所述,不要在数据库中存储信用卡信息。这是制造麻烦的方法。这样做会使你成为黑客的一个非常有吸引力的目标,如果他们成功地找回了他们,结束你的生意,可能会毁掉你的生活和那些信用卡号码被盗的人的生活。
Having said that here are three things to consider:
说到这里,有三件事需要考虑:
1) Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.
1)您最好的选择是使用提供重复计费的支付处理器/支付网关。授权就是一个例子。Net的自动循环计费服务。一旦您设置了订阅,他们将自动为您每月向用户收费,并让您知道事务的结果。它为您节省了大量的工作,并免除了您存储信用卡信息的责任。
2) If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).
2)如果你确实存储了信用卡号码,你必须遵守PCI指南。这些准则是由支付卡行业制定的,并定义了你能做什么和不能做什么。它还定义了必须如何存储信用卡信息。您将需要加密信用卡号码,您应该,但不需要加密相关信息(截止日期等)。您还需要确保您的web服务器和网络是安全的。如果不能满足PCI的要求,将导致您的商户帐户丢失,并被禁止永久拥有真正的商户帐户。这将限制您使用不太灵活的第三方处理器。请记住,PCI指南是一个良好的开端,但当涉及到在线安全时,它并不是“如何”。你的目标是超过推荐(很多)。
3) States laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.
3)国家法律取代了PCI的遵守。如果你被侵入,信用卡号码被盗,你将面临被起诉的风险。各州的法律各不相同,而且不断变化,因为立法者才刚刚开始认识到这是一件多么严重的事情。
As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).
至于加密,请确保您阅读了哪些加密算法是安全的,而且还没有被破坏。Blowfish是一个好的开始,如果您使用PHP,建议使用mcrypt库(示例)。
#2
15
The safest way is to NOT store the credit card information on your system, but let a 3rd party payment provider do it for you.
最安全的方法是不将信用卡信息存储在您的系统中,而是让第三方支付提供商为您存储。
#3
6
It's not required that you use a 3rd party payment provider like PayPal, etc. – but you need to be PCI compliant if you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI compliance to grasp how serious it is to be PCI compliant.
不要求你使用第三方支付提供商如贝宝等-但如果你要存储支付卡信息,你需要符合PCI。请阅读这篇关于BC渡船的文章,这些渡轮因不及时遵守PCI规定而面临巨额罚款,以了解遵守PCI的严重程度。
My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.
我现在的雇主正在遵循PCI—这不是一个简单的过程,需要员工进行审计。强制执行取决于国家和州/省的法律——加拿大IIRC要求你被PCI职业委员会认证为PCI,而美国的一些州允许PCI合规审计公司为PCI委员会提供服务。