Where should I save credit card data?

you can store the data in the db but you definatly need to encrypt. i would suggest not even storing it personally. But that is just me.

defenetly you have to secure the data while you accessing the database through queries

better you make ssl on while you accessing the database, and also just use a random textfield as a hidden value in the post and you check it for authorization whether it is coming from fine navigation or not

i will agree with that. more secure the better if its being stored. didnt really think having a SSL setup was needed since it is a class project but if its live it is a must have.

then what you are really expecting

more than this

Well as a majority companies dont store creditcard information with them as it is a big security risk and isnt safe. For example many companies use a merchant account from providers like Paypal, therefore Paypal takes care of the payment and the company need not store any details of the customer's credit card

from what I have been told, storing credit card numbers without encryption is illegal. I would recommend not storing them at all. ever.

Thanks for all your replies. hivenk: Please elaborate. Do want me to create a hidden in the user form and fill it with random data? And check it when the form is submitted?

What do I have to do as a php programmer to ensure that the data is being transmitted over ssl?
I don't have to collect credit card data if the customer is paying with paypal. But I have to collect it (requirement) when the customer is paying with a credit card. How do I ensure that data is being sent over ssl when I send the data to the bank or whomever.

What kind of encryption are we talking about?
Thanks again.

Well, in order to ensure data is being sent over a secure environment, you will have to purchase a SSL Certificate and then lets say the billing system (where you take information and all of the customer) is under a sub-domain say for example billing.domain.com

I would suggest you purchase a SSL Certificate for that subdomain and using the .htaccess file force all connections via that subdomain to use the https prefix... so, no matter what, all links, forms, etc... under that subdomain will be forced to use SSL Connection (HTTPS) therefore securing and encrypting your data.

Normally a SSL Certificate uses strong 128/256 bit encryption.

Hope this helps you.

ssl is already installed. But how do I use it? Do I have to do any thing with my php code?
Or do I just use a .htaccess file.
Sorry if I am asking stupid questions. No one in my team has built a whole site before. Its like blind leading the blind.

Hey No Problem at all with the questions.

Well are you 100% sure that it is installed properly... to ensure just access your site using the https prefix do the following access your site using the https prefix.

example

normal -> http://www.domain.com/
If SSL -> https://www.domain.com/

When you access it via https, and if SSL is installed properly you shouldn't receive any certificate error message.

If you want PM me with your link and i'll check it for you.

And if you want to force all connections for that domain to use SSL, then simply make a .htaccess file in your public_html (or main directory) with the following lines

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This will force all connections to have the https prefix, if any connection doesnt have it it will automatically redirect it to the exact same page and automatically add the https prefix.

An example of this can be found at the following site.

try accessing this site http://billing.znserver.com/clientarea.php

Notice how it automatically adds the https prefix when you visit the site.

If you have any more questions feel free to ask.

Just make sure when you access the site use the secure prefix -- https://www.webcarpenter.com instead of http://www.webcarpenter.com

Note the S in HTTPS://

Thanks. Everything is still in the design phase right now so there isn't any link. Is there a way to use the .htaccess file for specific pages and not the entire site?

Hello,
Is it okay to save credit card data in the database. I know it will be password protected but still, it will be a disaster if someone ever hacks in. How do real world companies(mine is school project) save their customer's credit card information? Thank you in advance.

Storing cc info is very bad.

If you really want me to, I'll explain why, but it's pretty well covered in google. The people that run Amazon are insane.

Hint: It's pretty easy to write an application securely to do this (with the right skillset, which is quite large) which is secure from the outside, it's not so easy to secure it from the people that have root access to select data from the server such as administrators, accountants and other privileged users.

Another Hint: It's pretty easy for users to get phished and think you gave up their data.

Yet another hint: few dbas secure their servers properly and set up the right per host/user access.

Clue: encryption is a joke and ultimately useless since you need to store the means to decrypt it on the server. An attacker will use your own scripts to decrypt it. Encryption is not the panacea you are looking for.

If you don't store it, you don't have these problems, which are ironically caused by everyone but you, the developer, and completely nullify all the secure coding effort you did, yet you'll be the first one they turn to when it happens.

Don't do it. There is no truly secure way to do it unless the infrastructure is managed with the same controls, checks and balances (and regulatory compliance) as a bank's infrastructure.

-Viz

Well since your familiar with php, here is a php code, All you have to do is paste it at the top of any page you would like secured.

//force redirect to secure page
if($_SERVER['SERVER_PORT'] != '443') { header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); }

Is it safe to assume that all servers will use port 443 for ssl? (guess I need to learn about ports as well)

Yes, all servers use port 443 as SSL Connection port.