7
votes

I am working on an application in which it is required to store whole credit card numbers. Is this possible to do using any API?

I have read about Authorize.net's Customer Payment Profile option, but it gives only last 4 digits when you try to retrieve that payment profile.

I have also checked Braintree's v.zero API which gives first 6 and last 4 digits and also Stripe's customer creation option but it also gives only last 4 digits.

If there is no API available, the only way to store credit card numbers is to store those in house using PCI DSS??

2

2 Answers

15
votes

Disclosure: I work for Stripe

Yes, the ONLY way to store customer card information in-house is to do so in a PCI-compliant system. Any place you store them, and any way you handle them, MUST be PCI compliant.

One of the biggest gains from using a payment processor, like Stripe for example, is that they take care of the (very, incredibly, terrifyingly) hard work of PCI compliance for you. As part of that commitment, they're not going to release those credit card details that they work tirelessly to keep secure.

If you're willing to go through the rigors of becoming - and remaining - PCI compliant, you could collect and store the card numbers in a PCI-compliant way and use Stripe's API to create the card [0] and then make the charge. Do note that you MUST be PCI Compliant to make use of Stripe's API in this way, or you will be violating the Terms of Service.

If you can more fully explain what the application will be doing with the stored credit card numbers, maybe someone can suggest an alternative approach that doesn't require actually storing the card info locally.

[0] https://stripe.com/docs/api#create_card-source-number

6
votes

Never under any circumstance store customer credit card information. Explain why you think you need that; the Stripe API can probably do what you want. For example, if you want to make a recurring charge to a customer who made a previous payment to you, use a customer subscription.

Never under any circumstance store customer credit card information. If Stripe catches you trying to do that they will probably ban you. This is good, because if Stripe doesn't catch you, criminals will. Criminals like the kind that extracted credit card information from Target and Walmart.