Should credit card numbers be stored as strings or ints?

9
votes

Yeah... just thinking about it...

Should I store credit card numbers that have been input on my site as strings or ints?

I mean, they're made up of numbers which makes me think it's an int... but I don't do maths on them, so maybe a string is more appropriate?

EDIT: So I have to store the number that's been input at some point, before I encrypt it. I probably should have been more specific - it's not like I'm saving them in the DB in clear text or anything - glad to see how conscientious everyone is :)

7
c#java
Remind me to never give you my credit card number :). I would approve of Chris Shain's answer.Mxyk
stackoverflow.com/questions/206438/storing-credit-card-detailsMatt Ball
This is neither C# nor Java, btw. If anything mark this as database.Chris Eberle

7 Answers

34
votes

Neither. You should save them, at very least, as byte arrays encrypted with AES or equivalent using industry-accepted key storage.

Windows provides a lot of this via the Data Protection API: http://msdn.microsoft.com/en-us/library/ms995355.aspx

For your own sake and the sake of your customers, please learn the proper standards for encrypting financial credentials or hire someone who knows them.

Given your edit:

C# has a SecureString class that you should use. I don't believe that there is a Java equivalent, but I could be wrong.

EDIT: For posterity's sake...

Guidelines for storage, transmission, and processing of credit card details are defined by PCI DSS (Data Security Standards). Anyone considering how to architect their solution for managing credit card data should read about that here, and consult an industry expert: https://www.pcisecuritystandards.org/

8
votes

Credit card numbers would be a string, I'm not positive but i feel like some cards can start with a 0 and you wouldn't want to lose any of those leading zeros. Also, you should encrypt that. If not, a malicious user may be able to snag card numbers through cookies, packet sniffers, and other things.

6
votes

note that

  • range of int in java is -2147483648 until 2147483647 ( you can check it by print Integer.MAX_VALUE and Integer.MIN_VALUE)
  • credit card number is having 16 digit of numbers.
  • there is no need to do a calculation to a credit card number.
  • you should not store credit card without encrypt it ( to avoid the number being stolen ). and usually the result of the encryption can contains alphanumeric.

Based on that facts, I believe String is more appropriate. ( BUT ENCRYPT FIRST )

5
votes

You shouldn't store credit card numbers at all, ever as anything. If you are integrating with a payment provider pass the information straight to them, if you need to charge later they should be able to provide a token of some sort. Unless your servers are compliant you are probably breaking rules.

4
votes

Credit card information (or any personal information that can be misused) should never be stored in its raw form (strings, integers, etc). Always encrypt it so that the information is protected in case your website is hacked.

2
votes

Since it does not make sense to add or multiply credit card numbers, ints are not suitable. Use strings.

2
votes

Before storing any credit card information get familiar with the requirements for PCI (Payment Card Industry) compliance. This covers how you can store the numbers, and how much of the number you can store. There are a number of other steps you need to take to secure your servers.