Can i store Credit card in local database in app is it secured?
Question
Hi I am using payment gateway in may app .I think store credit card no in my app.I want ask it is secured to store credit card in app when user revisit i use credit card no.i take manual input of CVC no.
1) I encypted credit card no in AES with user key.
it is secure in android app
2 answers
solution1
1 2016-05-10 01:49:16
The best course of action will be to not store the data in your app locally, cause there potential for data loss is to great, and the trade of for speed does not seem to be worthwhile. better would be to store it in a remote server to which your app can connect.
solution2
1 2016-05-10 06:04:26
Obviously storing credit card details in your application itself is a high risk. Even storing only the credit card number (without CVV / CVV2 ) is a high risk, because CVV / CVV2 verification is just a one type of verification done by processors and can be skipped if processor decide to do so (for certain transaction types) [1].
Having said that, as a merchant you have the ability to store following in your application [1] :
- Card Holder Name
- Personal Account Number (PAN) (Card Number)
- Expiration Date
However, you need to be very careful about the protection of PAN , because you are ultimately dealing with customer confidence. Even though, you are trying to implement a feature that adds convenience, if card numbers get exposed due to some sort of a vulnerability you might loose more customers than you gained with this feature.
Usually in PCI PA-DSS , below fields are considered as what needs to be highly secured :
- Primary Account Number (PAN) (Card Number)
- Cardholder Name
- Expiration Date
- Service Code
- Full track data (magnetic-stripe data or equivalent on a chip)
- CAV2/CVC2/CVV2/CID
- PINs/PIN blocks
Therefore, if you store PAN , it is best to use a strong cryptography algorithm to encrypt it. Usually, payment processors follow a multi key approach and have multiple different keys stored in multiple different secure environments. Finally, when it is necessary to retrieve decrypted card number, application combine these keys and do the decryption [2].
In PCI PA-DSS it is necessary to have a key management process as well. Which means you should have a process that allows you to expire and renew keys at any point of time. With such process, it is possible to minimize the risk of keys getting compromised, given that you can renew the keys rendering compromised keys useless. Maybe, this is a overkill for your requirement.
Nevertheless, if you plan to store PAN , at least use two keys that are stored in two different environments (database / file system) for encryption, use a very storing encryption algorithm and follow cryptography best practices ( OWASP ).
However, it is questionable how customers might look at the feature you are implementing. Maybe, there are customers who care for security over convenience. Therefore, it is better to provide an opt-in for the feature you are implementing.
[1] https://usa.visa.com/dam/VCOM/download/merchants/card-acceptance-guidelines-for-merchants.pdf
[2] https://www.pcisecuritystandards.org/minisite/en/docs/PA-DSS_v3.pdf
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.