Credit Card Information and You

Credit Cards by Andres Rueda
It seems that at least once a week, I have a customer or see another developer ask a simple question:

How do I store credit card information?

The simplest way to attack the problem:


Seriously.  Don't store credit card information.  There are numerous ways to work around it and groups better qualified to handle it.  For example, my goal is to and push the responsibility off to the Gateways/Processors.  They have the systems, processes, policies, security, and even insurance/legal aspects in place.

Regardless, I know lots of you are saying "But Keith, *I* have to! My application/customer requires it.  Besides, I'm so much smarter than you, I'll figure it out over lunch, crank out the code this afternoon, and will be mocking you in public forums by 5pm."

Well, maybe… maybe you are an amazing developer that can solve all the potential issues related to the code.  Let's talk about the other aspects:

First, it's a complex problem with a complex solution.  Individually all of the steps are relatively simple and straightforward: your code has to be secure, access to the data must be limited, each user should have unique credentials, and a variety of other aspects.  Yes, most of those things should already be in place for your team… but I doubt they are. 

Next, the "Recurring Billing" problem has already been solved.  All of the payment processors do it for a nominal fee. calls this service"Automated Recurring Billing" and charges a whopping $10/month.  What is the value of your team's time?  Even if you can "crank out the code this afternoon" the cost of those four hours could cover literally years of the service.

Next, you can't trust anyone.  Anyone that has access to the data is another potential risk to your organization and your customers.  Most likely only a very small set of people in your entire organization need access to the data.  Quite often no one needs access to the data, they believe their jobs would be easier with it.

I had a friend years ago who kept his customers' information along with all auth attempts and processing logs.  As he went through developers working on his site, each took a snapshot of the production database to work locally.  Either due to maliciousness or due to ignorance, the credit card information could have been included.

Next, are you sure of who has access?  Developers making snapshots of a production database are known and expected.  What happens when the system is compromised?  What happens when a creative new bug that you didn't expect appears?  What happens when someone's account is compromised due to their negligence and information leakage occurs?

Next, odds are that your Payment Gateway forbids it.  Let's say that you get all the code fully functional and perfect.  You can deploy it and watch it work beautifully… with the risk that if they find out, they have the option to shut you down.  Not "put a hold on your account" but completely and totally shut you down.

I had a friend years ago – yes, same one as above – who got his merchant account locked due to suspicious behavior.  They immediately froze the account and blocked all new transactions.  He had to scramble to get a new account while the original processor started reviewing all transactions – and held all related funds – from the last 30 days.  His billing systems were only offline for three days, but can your organization handle that?

Finally, can your organization survive the negative legal, press, and financial attention?  When TJ Max's systems were compromised, they suffered months and months of negative press.  Similar organizations have been sued as a result of similar breaches.  Most organizations suffer financially – not only from the change/loss of business – but also through increased insurance premiums.  After all, you've demonstrated that you're taking risky actions without successfully protecting against them.

Overall, yes, it is a well-defined and specific enough problem to be tackled and probably beaten.  I'm not questioning your ability… instead, I'm questioning the wisdom and usefulness in attacking the problem.  Would your time be better spent in other areas?  Can your organization legally/financially support your development choices?