Is it 'ok' to store credit card information in the session?

Question

I was thinking that was a good place because it is so temporary yes? I guess when I say 'ok' I mean both secure and ethical as well as practical for the code side of things. Please advise.

Answer 1

If you are storing credit card data anywhere it should be fully encrypted! Storing in the session may be necessary, perhaps you've got a multi-part form to fill out, but it should be purged as soon as possible.

Answer 2

Carefull with PHP sessions on shared hosts. Other users on the same host can steal sessions by creating a simple script that can open your sessions by manually setting the session_id then calling session_start(); If you must store CC nums use db stored sessions that are encrypted and delete promptly. Its in the users best interest to re-ask for the number when needed, savy web users will thank you for it.

Answer 3

Keep in mind that session state may be stored in a database (depending on the configuration). Even if it is temporary in its nature I would make an effort to deal with the value the shortest time possible, and probably try to stay away from the session.

Answer 4

Listen to episode #109 of Security Now! with Steve Gibson.

http://www.grc.com/securitynow.htm

In that episode, Steve details how he built his own eCommerce system that stores data in exactly the way you're describing. He doesn't store anything on the server side, but rather collects the data, encrypts and signs it into a binary blob that can't be modified (otherwise the signature won't match when it's resubmitted), and stores it in a hidden form field on the client.

Answer 5

The absolute best answer?

No. Don't do it.

The credit card details should be the last portion of your checkout process.

Answer 6

Better yet, store it in application state. More better access. Your controls can bind directly against that as well.