堆栈内存溢出
  简体   繁体   English

我可以在应用程序的本地数据库中存储信用卡吗?

[英]Can i store Credit card in local database in app is it secured?

 原文  2016-05-09 11:02:01       android/ security

问题描述

Hi I am using payment gateway in may app .I think store credit card no in my app.I want ask it is secured to store credit card in app when user revisit i use credit card no.i take manual input of CVC no. 嗨,我在may app中使用支付网关。我认为在我的app中存储信用卡号。我想问一下,当用户再次访问我使用no。卡时,它是否可以安全地将信用卡存储在app中。我需要手动输入CVC号。

1) I encypted credit card no in AES with user key. 1)我用用户密钥在AES中插入了信用卡号。

it is secure in android app 它在android app中是安全的

2 个解决方案

解决方案1
 1  2016-05-10 01:49:16

The best course of action will be to not store the data in your app locally, cause there potential for data loss is to great, and the trade of for speed does not seem to be worthwhile. 最好的做法是不要在本地将数据存储在您的应用程序中,这会导致数据丢失的可能性很大,而以速度为代价的交易似乎并不值得。 better would be to store it in a remote server to which your app can connect. 最好将其存储在您的应用可以连接到的远程服务器中。

解决方案2
 1  2016-05-10 06:04:26

Obviously storing credit card details in your application itself is a high risk. 显然,将信用卡详细信息存储在应用程序本身中是很高的风险。 Even storing only the credit card number (without CVV / CVV2 ) is a high risk, because CVV / CVV2 verification is just a one type of verification done by processors and can be skipped if processor decide to do so (for certain transaction types) [1]. 即使仅存储信用卡号(不带CVV / CVV2 )也有很高的风险,因为CVV / CVV2验证只是处理器进行的一种验证,如果处理器决定这样做(对于某些交易类型),则可以跳过[ 1]。

Having said that, as a merchant you have the ability to store following in your application [1] : 话虽如此,作为商人,您可以在应用程序中存储以下对象[1]:

  • Card Holder Name 持卡人姓名
  • Personal Account Number (PAN) (Card Number) 个人帐号(PAN)(卡号)
  • Expiration Date 截止日期

However, you need to be very careful about the protection of PAN , because you are ultimately dealing with customer confidence. 但是,您需要非常小心PAN的保护,因为您最终要处理客户的信任。 Even though, you are trying to implement a feature that adds convenience, if card numbers get exposed due to some sort of a vulnerability you might loose more customers than you gained with this feature. 即使您正在尝试实现一种增加便利性的功能,但是如果由于某种漏洞而暴露卡号,您可能会失去比使用该功能获得的更多客户。

Usually in PCI PA-DSS , below fields are considered as what needs to be highly secured : 通常在PCI PA-DSS ,以下字段被认为是需要高度保护的字段:

  • Primary Account Number (PAN) (Card Number) 主帐号(PAN)(卡号)
  • Cardholder Name 持卡人姓名
  • Expiration Date 截止日期
  • Service Code 服务编号
  • Full track data (magnetic-stripe data or equivalent on a chip) 全磁道数据(磁条数据或芯片上的等效数据)
  • CAV2/CVC2/CVV2/CID CAV2 / CVC2 / CVV2 / CID
  • PINs/PIN blocks 密码/密码块

Therefore, if you store PAN , it is best to use a strong cryptography algorithm to encrypt it. 因此,如果存储PAN ,则最好使用强大的加密算法对其进行加密。 Usually, payment processors follow a multi key approach and have multiple different keys stored in multiple different secure environments. 通常,支付处理器遵循多密钥方法,并将多个不同的密钥存储在多个不同的安全环境中。 Finally, when it is necessary to retrieve decrypted card number, application combine these keys and do the decryption [2]. 最后,当需要检索解密的卡号时,应用程序将这些密钥结合起来并进行解密[2]。

In PCI PA-DSS it is necessary to have a key management process as well. PCI PA-DSS ,还必须具有密钥管理过程。 Which means you should have a process that allows you to expire and renew keys at any point of time. 这意味着您应该有一个允许您在任何时间到期和更新密钥的过程。 With such process, it is possible to minimize the risk of keys getting compromised, given that you can renew the keys rendering compromised keys useless. 通过这种过程,可以使密钥被泄露的风险降到最低,因为您可以更新密钥,使被破坏的密钥无用。 Maybe, this is a overkill for your requirement. 也许,这对于您的要求来说是一个过高的选择。

Nevertheless, if you plan to store PAN , at least use two keys that are stored in two different environments (database / file system) for encryption, use a very storing encryption algorithm and follow cryptography best practices ( OWASP ). 但是,如果您打算存储PAN ,至少要使用存储在两个不同环境(数据库/文件系统)中的两个密钥进行加密,请使用存储量非常大的加密算法并遵循加密最佳实践( OWASP )。

However, it is questionable how customers might look at the feature you are implementing. 但是,客户如何看待您正在实现的功能是一个问题。 Maybe, there are customers who care for security over convenience. 也许有些客户在追求安全性而不是便利性。 Therefore, it is better to provide an opt-in for the feature you are implementing. 因此,最好为您要实现的功能提供选择功能。

[1] https://usa.visa.com/dam/VCOM/download/merchants/card-acceptance-guidelines-for-merchants.pdf [1] https://usa.visa.com/dam/VCOM/download/merchants/card-acceptance-guidelines-for-merchants.pdf

[2] https://www.pcisecuritystandards.org/minisite/en/docs/PA-DSS_v3.pdf [2] https://www.pcisecuritystandards.org/minisite/zh/docs/PA-DSS_v3.pdf

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 具有关键数据(信用卡,名称...)的本地存储与ddbb存储 - Local store vs ddbb store with critical data (credit card, name…) 如何验证信用卡/支票卡号? - How can I validate Credit Card/Check Card Number? 我应该在哪里存储Android中的信用卡号码? - Where should I store credit card numbers in Android? 在应用程序中保护信用卡交易 - Secure Credit Card transactions in app 如何在Blusesnap的现有购物者中添加新信用卡 - How can I add new credit card to the existing shopper in Blusesnap 解析本地数据存储区:强制关闭应用程序后,无法从网络访问ACL保护的对象吗? (机器人) - Parse Local Datastore: I can't access ACL secured objects from the network after force closing the app? (Android) 如何在Android本地数据库上存储意图或屏幕进度? - How can I store intent or screen progress on android local database? Android在数据库中保存借记卡/信用卡详细信息 - Android Saving debit/credit card details in database 将信用卡付款添加到我的Android应用中 - adding pay by credit card to my android app Android应用内购买,信用卡问题 - Android In app purchase , credit card issue
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM