23
votes

What credit card information am I allowed to store while still being PCI compliant if I am relying on braintree for payment processing?

The reason I am asking is because, as a simple optimization, if a customer has already bought something from my store with a credit card, I can show them the last 4 digits of their credit card, and the card type, without having to make an API call to BrainTree. I'd have to make the call if they wanted to change the card or make a purchase, but for that one page, I wouldn't.

Question is, am I allowed to store:

  • the last 4 digits of the credit card
  • and the card type
  • and possible the cardholder name

Or where is there a list of PCI compliance "do's and don'ts" I can check out?

3

3 Answers

22
votes

Yeah, it's fine to store those things.

Check out the PCI Quick Reference Guide for a brief overview of what you should and shouldn't do.

3
votes

As has already been said, it's ok to store that data.

Regarding "dos and don'ts", it would be worth it to check out the Open Web Application Security Project (owasp.org). In particular, look at their OWASP guide (available here http://prdownloads.sourceforge.net/owasp/OWASPGuide2.0.1.pdf?download) on how to develop secure web applications. They cover PCI compliance and best practices starting on page 53.

0
votes

I would use something like attr_encrypted gem to protect that data in the database (see https://github.com/shuber/attr_encrypted).