Storing Credit Card Number - PCI?

001 picture 001 · Nov 29, 2010 · Viewed 21.3k times · Source

What are the PCI rules to follow for storing credit card numbers in a database?

1) is this allowed? 2) if so, what rules do we have to follow?

Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php which document should I be reading here?

Answer

John Conde picture John Conde · Nov 29, 2010

1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better.

2) You have to follow the PCI rules outlined in this guide. But you may find this guide easier to understand. Go to page 14 for what you need to know. Basically you can store it but it has to be encrypted according to PCI standards. Your server and network also must be secure. If any piece of the puzzle is not PCI compliant you cannot store the credit card numbers. That rules out most shared hosting companies as a solution.