Your best bet is to not do it. One thing is that you may be violating PCI compliance (wikipedia) [en.wikipedia.org] with your credit card processing company - in fact you may want to check with them on what standards of security they require for storing credit card data - maybe that will point you in the right direction.
My favorite way to handle credit cards is to let someone else worry about it - the number gets sent, encrypted, to the processor and I never see it. Authorize.net, PayPal and other processors can handle this method.

pixel if you are intent on doing this then something I have seen done is......

Most CC processers will store the first and last 4 digits of the card in plain text for you to see.

1 option is to store everything but the first 4 last 4 in your DB.

That way if you need a card number you have to look in two places.... 1) get the F4L4 from the CC gateway and 2) get the rest from your DB.

So how do companies store CC#s for things like recurrent (automatic) billing? Surely there is an industry standard for storing CC info. Many sites store user CC's so they don't have to re-enter it for every purchase.

This idea seems great, but I can't find any payment gateway that uses this method.
---------------------
(taken from [unixwiz.net...]
We're aiming for "No decryption by the application".
The Holy Grail seems to be a system where the sensitive data is only decrypted by the process which talks to the bank: if it's simply never available in any other place, it's not available to steal.
It's not clear this is achievable, but it's clear that this is a goal even if it drives substantial reworking of software or internal procedures. Many of the security problems are not crypto problems.
---------------------

If I could send the gateway an encrypted CC# that only they can decrypt (using asymetric pub/priv keys) then there's no longer a problem. Why is this not more common?

Companies don't store the CC numbers.. their credit card processors do.

I post a transaction to my gateway for customer#12756345

Later I want to discount/refund/recharge or whatever then I go to my gateway and search customer #12756345.. then my gateway allows me to perform things like refunds to that customer. It doesn't show me the card number, but it has it stored.

So how do companies store CC#s for things like recurrent (automatic) billing?

1. You completely pass level 1 PCI compliance and encrypt stored data.

2. You work with the CC processor and their methods of recurrent billing so you don't have to store the entire credit card.

One processor I work with does this by
a. On initial purchase and agreement by the user to recurrently bill, the CC info and original transaction id is stored at the CC processor.
b. YOU only store just the last 4 digits and the original transaction id.
c. On recurrent billing, which is prompted by a cron job from your site, you send a request to the processor using the original transaction id and the last 4. The processor performs the transaction and returns a result.

Another does it by transaction ID only.

There are more, and they all give you the "hands off" option on CC info, which releases the site owner from those liabilities. All you have to worry about is protecting your site from injection and XSS (i.e., one less thing to keep you awake at nights . . .)

thanks Rocknbil, I just talked to my gateway (authorize.net) and they say they do not have the option to store CC info on their system.

It seems like a serious time investment, but I would be willing to change gateways. Can you recommend a gateway that acts as you describe? Sticky me if you can't mention them here.

What I do not understand even with asymmetric encryption, is that if the application has to encrypt the # to store it and decrypt the # to use it, then anyone who gains access to the server can find the private key and thus have the #s. PCI says you need asymmetric encryption but it doesn't seem any safer than symmetric encryption if both keys live on the web server.

Thanks for your help.

I'll start a thorough search soon, but in case anyone has recommendations (feel free to sticky) I'll be a little clearer though on what I need.

One of my sites sells video lessons (we have over 1000), and our users can buy new ones at any time. So the billing isn't so much recurrent (there may be subscription fees in the future) as it is frequent (like itunes). We don't want the users to have to enter their CC 5 times a day, so we store it for them. I'm sure sales would drop if they had to do this.

Any gateway/processor companies do the storage as mentioned above that anyone cares to recommend?

I just talked to my gateway (authorize.net) and they say they do not have the option to store CC info on their system.

Say . . . what? The only thing they could have possibly meant is that they don't store it for you to view or retrieve. But they have if you are using ARB.

I work with A.N. all the time.

Ask them about ARB (Automatic Recurring Billing.)

Basically on the initial transaction, you pass some variables via XML that indicate this account will be automatically billed at a specific interval for a specific length of time (A.N.'s max is 3 years.) Then when Authorize.net processes the transaction, it sends an XML string to a url on your site of your choosing (a script to update your database.) Using this response from A.N., you either update the database or notify the client their card could not be processed.

I do believe there is some mention in the documentation about using ARB for recurrent billings, so it can be used for your purpose. I've never gone down that rabbit hole, just ARB.

There are some services out there which do not need the card number to perform automated recurring billing on your card.

I don't know what it is called but I assume they get an authorisation number (therefore don't need to store the credit card number).

One company I deal with continues to bill my card even though the card number has completely changed since they sent me a new one and the expiry date is different too. In fact, since I signed up with them, I estimate they have been able to charge 4 cards without me having to inform them of the new card numbers.

This is one reason why recurring billing should be left to those who know what they are doing! Anyone know what that service is called?

Companies don't store the CC numbers..

That's not at all true. Many companies do store card numbers even though they shouldn't.

>>Many sites store user CC's so they don't have to re-enter it for every purchase.

No they don't. Most large companies shiver at the thought of storing these numbers.

No they don't.

Yes, they do. I know of some.

Most large companies shiver at the thought of storing these numbers.

Then why news stories about stolen numbers from hacked sites of large sellers?

>>Yes, they do. I know of some.

You've seen the tables in a database? I find it pretty hard to believe a large company would even tell you if they store these numbers. Most don't because their IT departments will tell them it will cost millions to store this data.

Billy, While most of us all agree that it is a bad idea, there are lots of companies that do store CC numbers.

Target comes to mind as they were attacked in early 2008 for 4.2 million credit and debit card details.

Is it ill advised? Yes.... Are big companies doing it? Yes they are.

Remember most of the time it is business men making these decisions and it is usually against the advise of their staff.

I think I talk about 3 businesses a year out of storing numbers, and I have to really talk them out of it. I usually warn against it. Then I have to push for them not to because they only see the practical reasons for doing it and not the risk associated with it.

>>Target comes to mind as they were attacked in early 2008 for 4.2 million credit and debit card details.

This is my point exactly. It wasn't Target, it was TJ Max you're talking about. The cards were not stored in a database, they were stolen due to weak encryption techniques used when transmitting the card numbers.

Again, large companies do not store credit card numbers.

You've seen the tables in a database?

Yes.

Again, large companies do not store credit card numbers.

Now your story is changing. You certainly didn't say large before.