存储部分信用卡号 [英] Storing partial credit card numbers
问题描述
可能的重复项:
- Best practices for taking and storing credit card information with PHP
- Storing credit card details
- Storing Credit Card Information
我需要在电子商务站点中存储信用卡号.我不打算存储整个信用卡号,因为这样做会带来很大的风险.我想至少存储前五位数字,以便以后可以识别发卡的金融机构.理想情况下,我希望安全地存储尽可能多的贷方编号,以帮助将来进行任何交叉引用等.
I need to store credit card numbers within an e-commerce site. I don't intend on storing the whole credit card number, as this would be highly risky. I would like to store at least the first five digits so I can later identify the financial institution that issued the card. Ideally, I would like to store as much of the credit number as I safely can, to aid any future cross-referencing etc.
我可以安全地存储多少个数字,以及哪些特定数字?
例如,我想这还不够安全:
For example, I imagine this would not be safe enough:
5555 5555 555* 4444
因为您可以计算出丢失的数字.
Because you could calculate the missing digit.
类似地,这是安全的,但没有那么有用:
Similarly, this would be safe, but not be as useful:
5555 5*** **** ****
是否存在一种公认的存储部分信用卡号的模式?
推荐答案
《支付卡数据安全标准》指出,如果您要处理持卡人数据,那么您将受到PCI DSS的限制(这是非常全面的,挑战).如果要存储卡号的一部分,并且不想处理标准,则需要确保a)存储
The Payment Card Data Security Standard states that if you are handling cardholder data, then you are subject to the constraints of the PCI DSS (which is very comprehensive and a challenge to comply with). If you want to store part of a card number, and don't want to have to deal with the Standard, then you need to make sure that a) you store NO MORE THAN the first 6 and last 4 digits; b) you don't ever store, process or transmit more than this. That means that the truncation has to be carried out before the data enters your control.
鉴于您正在谈论的是电子商务网站,我认为您迟早必须处理PCI DSS(因为如果您未使用完整的PAN,则无法处理交易).实际上,您应该避免存储超过PAN的前6位和后4位;这样,标准就不会关心"此数据,而可以将其以您认为合适的任何形式存储.如果您存储例如前7位数字,则标准的要求3生效(您开始真正了解加密中的密钥管理).
Given that you are talking about an ecommerce site, I think you'll have to deal with the PCI DSS sooner or later (since if you're not taking full PANs, you can't process transactions). Realistically, then, you should avoid storing more than the first 6 and last 4 digits of a PAN; the Standard then does not 'care' about this data, and you can store it in whatever form you see fit. If you store, say, the first 7 digits, then Requirement 3 of the Standard kicks in (and you start having to really understand key management in encryption).
我希望这是有用的.
这篇关于存储部分信用卡号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
