It's pretty obvious that there are security considerations when you are dealing with customer's credit card data. It's important that the date the customer submits on the Web site is safe while traveling over the wire and that the data captured from the customer stays safe when store with you as the vendor.
Your customers will expect your site to be SSL enabled if they are to trust you with their credit card information. SSL ensures that data is encrypted as it travels over the wire and this protects you from potential network sniffing. To hook up SSL you need to get a public SSL certificate from a certificate authority or reseller of certificates. Base certificates have gotten a lot cheaper in recent years and you can get certificates from many providers and hosting companies for under $100. I use DirectNic for all my certificates and domain registrations, but there are plenty of other providers out there that are in that same range. If you use an ISP check with the providers they use as they often get volume deals that may be cheaper than your own shopping.
Displaying Credit Card Information
The next issue is to make sure that you NEVER display full credit card numbers in your Web application back to the customer beyond the initial point of entry. The idea is if for whatever reason your application is compromised or a user account is compromised you are not in any way displaying the card information back to the unauthorized person.
This means, if after the order has been placed you display order information back to the customer, like say on an order status page, make sure you display the credit card number with blacked out numbers except a few of the numbers to let the customer identify the card used. The official rules from the Credit Card companies are that only the last four digits can be displayed.
Here's a routine I use to handle the display consistently as part of the business object that normally displays the value:
public string GetHiddenCC()
InvoiceEntity Inv = this.Entity;
string CC = Inv.Cc.TrimEnd();
if (Inv.Cctype == "PP" && CC == "")
return "<a href='http://www.paypal.com/'>paid with PayPal</a>";
if (CC.Length == 0)
if (CC.Length < 10)
return "**** **** **** ****";
string lcFirst = CC.Substring(0, 2);
string lcLast = CC.Substring(CC.Length - 4, 4);
//return "**** **** **** " + lcLast;
return lcFirst + "** **** **** " + lcLast;
So inside of a page I might display the value as an expression like this:
<%= this.Invoice.GetHiddenCC() %>
Notice I cheat a little in displaying the first two digits, so I have an idea what type of card I'm dealing with. I think this makes it easier for anyone to identify a card at a glance. But be the official rules are only to display the last 4 digits.
Storing Credit Cards
Storing credit cards is also an important security consideration. The threat is always that your Web server (or even standalone machine) might be compromised in some way and credit cards might get out. It's highly unlikely that this will happen, but there's always the potential. There are many potential security risks from break ins, your ISP, or even somebody inside the company stealing card numbers.
If at all possible you should not hold on to credit card data of your customers. This is not always possible especially in e-Commerce applications that expect frequent repeat customers and want to avoid having to re-enter credit cards over and over again.
If possible though, it's a good idea to clear credit card data for orders once the order has been processed. Should there be any sort of trouble with the transaction and you need to issue a refund or the customer returns you can just ask for the card again. This is one way to remove any possibility that large amounts of credit card data can be compromised and it limits your liability greatly.
If you absolutely must store credit card data it should be stored in encrypted form.
There are various compliance standards (specifically CSIP and PCI) that vendors are supposed to follow that describe specific rules of how networks need to be secured and data stored. These rules are fairly complex and require very expensive certification. However, these standards are so strict and expensive to get verified for that it's nearly impossible for smaller businesses to comply. While smaller vendors are not likely to be pushed to comply, not complying essentially releases the credit card company of any liability should there be fraud or a security breach. In other words you are fully responsible for the full extent of the damage (realistically you are anyway – I'm only echoing back the rough concepts of these certifications).