收集信用卡信息-不收取款项 [英] Collecting Credit Card Information - not to collect payment

问题描述

我正在使用MySQL在Linux服务器上的PHP中工作。

I am working in PHP on a Linux server with MySQL.

我有一个要求（我试图让他们退出）来收集用户的信用卡信息，以便我们公司可以使用卡号保存酒店房间参加会议。我们根本不会自己收取卡的费用，而只是将其发送到酒店。然后，我需要能够下载CSV文件，并且每次有人签署电子邮件以向管理员发送所有信息时。

I have a requirement (that I have attempted to talk them out of) to collect credit card information from users so that our company can use the card numbers to hold hotel rooms for a conference. We will not be charging the cards ourselves at all, but instead just sending them to the hotel. I then need to be able to download a CSV file and each time someone signs up an email to go to the admin with all the information.

我试图解释一下并不安全，但是在我来这里工作之前，其他几个开发人员已经为他们完成了此任务。

I tried to explain that this wasn't secure, but several other developers have done this for them in the past before I was working here.

我的问题是；反正有保证安全的方法吗？如果没有，那么是否有第三方选择？

My question is; is there anyway to make this secure? If not are there any third party options to make this happen?

编辑：

我很感谢到目前为止发布的每个人，它只是让我想越来越少地尝试这样做。如果您可以针对非技术人员添加简单的说明，那么将不胜感激，实际上，网站资源和链接将对我有很大帮助。我还没有找到任何网站可以用非技术的方式解释这一点。

I appreciate everyone who has posted so far, it has simply made me want to attempt to do this less and less. If you could add to your answers simple explanations, oriented at non-tech people, it would be greatly appreciated, in fact site source and links would help me a great deal. I haven't found any sites that would explain this in a non-tech way.

推荐答案

存储卡的详细信息。您正在以PCI-DSS审核的形式为自己打开痛苦的世界。它不像使用加密那么简单，您需要有适当的流程来安全地管理加密密钥，安排密钥轮换，安全地进行日志访问等等。。。存储卡详细信息绝对是您要避免的事情。

It's really a bad idea to be storing card details. You're opening yourself up for a world of pain in the form of PCI-DSS audits. It is not as simple as 'use encryption', you need to have processes in place to securely manage the encryption keys, schedule key rotation, securely log access and so on and on... Storing card details is absolutely something you want to avoid.

如果您必须准备就绪，那么最好的选择可能是您（作为公司）从付款信用卡到您自己的商户帐户，然后分别从酒店（银行帐户/其他）付款给酒店。您充当客户向酒店付款的代理。

If you have to have something in place, then the best option may be for you (as a company) to take payments from the credit cards to your own merchant account, then pay the hotels separately (from your bank account/whatever). You act as a proxy for the client making the payment to the hotel.

大多数付款网关都允许您安全地存储卡详细信息，并在以后收取费用（使用网关返回的令牌ID），这在这里可能很有用。但是您将无法检索卡的详细信息以任何方式将其传递给酒店，这就是为什么您需要先付款，然后再组织一次单独付款给酒店。

Most payment gateways allow you to store the card details securely, and charge at a later date (using a token id returned by the gateway), which will likely be useful here. But you wont be able to retrieve the card details to pass them through to the hotel in any way, which is why you would need to take payment, then organise a separate payment to the hotel.

这仍然是一项艰巨的任务，因为即使使用这种简化的解决方案，PCI-DSS的许多领域也将发挥作用。

Its still quite an undertaking though because a lot of areas of PCI-DSS will come into play even with this simplified solution.

您问过，所以在这里是更多信息：

You asked, so here is more information:

PCI-DSS 是付款卡行业数据安全标准。这是一套准则，基本上适用于任何接触持卡人数据（特别是卡号）的公司。从字面上看，触摸它意味着对数据进行任何处理，即使只是将其通过网络传输而没有将其持久化到磁盘上也足以强制您必须遵守（尽管如果不将详细信息持久化到磁盘上则要容易得多）

PCI-DSS is the Payment Card Industry Data Security Standard. It's a set of guidelines which basically apply to any company that 'touches' cardholder data, in particular the card number. Touching it literally means any handling of the data, even just having it pass through your network without it ever being persisted to disk is enough to mandate that you must comply, (though it is significantly easier if you don't persist the details to disk)

您尚未说明您所处的世界的哪个部分，或如何捕获这些卡的详细信息（互联网/电话/当面）。这些详细信息对于您如何实现合规性至关重要。

You didn't yet state which part of the world you're in, or how these card details are captured (internet/telephone/in person). These details are significant to how you can achieve compliance.

首先了解一下PCI-DSS SAQ（自我评估问卷）。对于那些不将持卡人详细信息存储到磁盘的公司，这些SAQ是最低要求，并且应该很好地说明需要在整个网络上使用的安全性以及应该在整个网络上应用的策略。

Start by taking a look at the PCI-DSS SAQ (Self Assessment Questionnaires). These SAQ's are the minimum requirements for companies that do not store cardholder details to disk, and should give a good impression of the security that needs to be in place across the network and policies that should be applied across the company.

正如我所说，如果您想存储卡的详细信息，事情就会变得更加复杂，因为作为一般规则，SAQ不再足够好。您需要获得QSA（合格的安全评估员）的帮助，该访问者将访问并就数据存储的最佳实践和其他各个方面提供建议。为了达到这种级别的合规性，您需要查看年度审核（由QSA执行）和季度网络扫描。查看审核程序，以详细了解所涉及的内容。特别要看一下第3节，不要低估实现正确密钥的难度管理。

As I said, if you're thinking of storing card details then things get more complicated, because as a general rule the SAQ is no longer good enough. You need to enrol the assistance of a QSA (Qualified Security Assessor) who will visit and advise on best practice for data storage and the various other points that come into play. For this level of compliance you're looking at yearly audits (carried out by the QSA), and quarterly network scans. Take a look at the audit procedures to get a detailed look at what is involved. In particular take a look at section 3 and do not underestimate the difficulty of implementing proper key management.

总而言之，完全遵守PCI将非常昂贵。即使对于已经拥有强大安全政策的公司来说，引入QSA以及仅进行季度扫描和年度审核的成本也可能要花费数千美元。

In summary, full PCI compliance will be very costly. Even for a company which already has pretty strong security policies the cost of bringing in a QSA and running quarterly scans and yearly audits alone will likely cost $thousands.

这篇关于收集信用卡信息-不收取款项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！