使用PHP获取和存储信用卡信息的最佳做法 [英] Best practices for taking and storing credit card information with PHP

问题描述

我应该在前几个步骤（验证，审查购买）中使用会话，然后在最终提交时将信息输入数据库吗？

cookies是否会被塞住变成诉讼？风险太大吗？

如果存储信用卡号，我是否需要以任何特殊方式保护数据库？

欢迎您提出任何建议和个人经验。

解决方案

信用卡问题对以下方面有严格的要求（谷歌 PCI合规性）存储信用卡数据。

至少有一个付款网关可让您外包合规性内容： http://www.braintreepaymentsolutions.com/

我上次查看时，可以进行初始交易并获得返回令牌。该令牌可用于将来对卡进行收费，但只能由您自己进行。支付网关人员负责存储实际的信用卡数据。

据我所知（我不做大量的卡处理），这是如果您需要对同一张卡任意收费，那可能是最好的解决方案。

如果您需要的只是一些经常性费用（定期收取一定的费用），则可以为此配置大多数付款网关（authorize.net）。 / p>

在一天结束时，如果您没有处理特别大的预算，最好外包卡存储。

（编辑：关于在会话中存储内容，是的，您可能可以避免，但是您应该避免这种情况。提交CC信息时，只需进行初始身份验证/捕获即可。）

Should I use sessions for the first few steps (validation, review purchase) then input the information into the database in the final submit?

Could the cookies get jacked and transform into a lawsuit? Is it too risky?

Would I need to protect my db any special way if storing credit card numbers?

Any and all recommendation and personal experiences are welcome.

解决方案

Credit card issues have strict requirements (google "PCI Compliance") about storing credit card data.

There's at least one payment gateway that allows you to outsource the compliance stuff: http://www.braintreepaymentsolutions.com/

Last time I looked, you can run an initial transaction, and get back a token. That token can be used to make future charges against the card, but only by you. The payment gateway guys take care of storing the actual credit card data.

As far as I know (and I don't do a ton of card processing), this is probably the best solution if you need to make arbitrary charges against the same card.

If all you need is some recurring charge (a set amount at regular intervals), most payment gateways (authorize.net comes to mind) can be configured for this.

At the end of the day, if you're not dealing with a particularly large budget, you're better off outsourcing the card # storage. Doing it yourself is too much of a liability.

(Edit: As to storing things in session -- yeah, you can probably get away with that, but you should probably avoid it. Just make your initial auth/capture in-process when the CC info is submitted.)

这篇关于使用PHP获取和存储信用卡信息的最佳做法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！