The short answer is "Don't!"

If the CC numbers reside on a web connected machine, there is always the possibility of them being compromised, accidentally or maliciously.

There is rarely a good reason to store that sort of data online. Even if you keep other personal information, making a big show of dumping CC numbers after each transaction is a good USP from the POV of user security

What about recurring subscriptions?

Store them locally only.

Especially if you have to ask how it is done!

>> There is rarely a good reason

>> What about recurring subscriptions?

If it's an annual subscription, write the CC info to an offline location. Just because a CC # is stored electronically, it doesn't have to be in a web-accessible database, or on a machine permanently connected to the Net. That's where most of the online security scares come from, information that has no NEED to be online being compromised

We're in the process of setting up our own merchant account and already planned to store numbers offline and input the transactions manually each month. It's just going to take a lot more work that we are currently required to do and I was fishing for alternatives.

You have to store info if you get chargebacks.

Beware of burglaries where machines or paper files are stolen.

A quandary for sure.

Most of the online payment service providers that offer merchant accounts / credit card facilities to web based businesses provide a recurring billing solution - WorldPay's is called "FuturePay" for example.

[worldpay.co.uk...]

If I were ever developing a system that involved storing credit card numbers, I would design a database architecture that didn't actually have the entire credit card number in one place, and place a requirement on application logic for a credit card number to be recovered.

This would mean that even if a database were compromised, the attacker would have great difficulty extracting valid card numbers from it; and even greater difficulty matching card numbers with personal details (which is when the information really becomes valuable to a crook).

we encrypt card numbers

we encrypt card numbers

Same here. All credit cards are immediately encrypted.

You have to store info if you get chargebacks.

Yep.

fashezee, avoid storing any CC# by yourself at all costs. There are a lot of companies that can do it better and specialize in this staff (TrustCommerce, PayPal, PaySystems, CCBill and others). Better check those out and see what suits you best. You can easily find more by looking for online payment solutions in Google.

The risk of compromising this information is too high especially if it’s a shared hosting. Even a dedicated server that you can set up to max security cannot guarantee that someone smart will be able to retrieve this information from your server.

All of them store information about all transactions and you can make a refund and they handle chargebacks themselves.

If you have any questions, just sticky mail me.

Before investing time and money designing yourself a technically clever solution, grab a magnifying glass and take a few minutes to check the fine print on your business insurance policy. A lot of them will have an exclusion for e-commerce security matters.

This means that if you go DIY and something horrible happens then you may very well be in big trouble. Third party billing solutions means that all of this is, at least to some extent, someone else's problem.

Yeah, I agree with everyone here. We have an external audit at least twice a year solely to check our CC storing process. If something were to ever happen to somebody, as a small business, you could face huge financial and other consequences. Wash your hands of it, it will help you to avoid many headaches.

Cheers
James