在MySQL数据库中保存信用卡信息? [英] Saving credit card information in MySQL database?
问题描述
我想允许我的客户用户输入他们的信用卡信息,以便我可以每月收取。
我不知道应该如何保存这些信息? / p>
是否应将其保存在MySQL数据库(用户表)中,还是这种信息过于敏感,需要存储在其他位置?
我没有这方面的经验,如果有人可以建议我如何完成这项工作,很高兴。
谢谢。 >
如上所述,请勿将信用卡信息存储在数据库中。这是一个麻烦的食谱。这样做将使你成为黑客的一个非常有吸引力的目标,如果他们成功地检索,结束您的业务,可能毁了你的生活以及信用卡号码被盗的人的生活。
说到这里有三件事要考虑:
1)最好的办法是使用支付处理器/支付网关,计费。一个示例是 Authorize.Net的自动定期结算服务。设置订阅后,系统会自动每月自动向用户收费,并通知您交易结果。
2)如果您使用商店信用卡号码,您必须遵循 PCI准则。这些指南由支付卡行业设定,并定义您可以做什么和不能做什么。它还定义了如何存储信用卡信息。您需要加密信用卡号码,您应该(但不是必须)加密相关信息(到期日期等)。您还需要确保您的Web服务器和网络安全。不符合PCI合规性将导致丢失您的商家帐户,并被永远禁止一个真正的商家帐户。这将限制您使用不太灵活的第三方处理器。请记住,PCI指南是一个好的开始,但几乎不是一个如何,当涉及到在线安全。您的目标将是超出建议(很多)。
3)国家法律取代PCI合规性。如果您遭受违约,信用卡号码被盗,您可能面临刑事起诉。由于立法者只是刚刚开始意识到这是多么严重的问题,各州的法律各不相同。
至于加密确保您了解哪些加密算法是安全的,并且尚未破解。 Blowfish 是一个好的开始,如果您使用PHP 建议使用mcrypt库(示例)。
I want to allow my customer users to enter their credit card information so that I can charge them every month.
I wonder how one should save this information?
Should it be saved in the MySQL database ("user" table) or is this kind of information too sensitive and need to be stored in another place?
I have no experience of this and would be glad if someone could advice me how to accomplish this.
Thanks.
As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.
Having said that here are three things to consider:
1) Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.
2) If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).
3) States laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.
As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).
这篇关于在MySQL数据库中保存信用卡信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
