What are the PCI rules to follow for storing credit card numbers in a database?
1) is this allowed?
2) if so, what rules do we have to follow?
Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php
which document should I be reading here?
1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better.
2) You have to follow the PCI rules outlined in this guide. But you may find this guide easier to understand. Go to page 14 for what you need to know. Basically you can store it but it has to be encrypted according to PCI standards. Your server and network also must be secure. If any piece of the puzzle is not PCI compliant you cannot store the credit card numbers. That rules out most shared hosting companies as a solution.
This is not a direct answer, but a suggestion. Please don't downvote; I'm just trying to be helpful. After much experience with PCI compliance, I strongly suggest you avoid having credit card information on your systems if at all possible.
The approach we have used (with great success) is Tokenization. There are services that will collect and store your credit card information for you. You make an API call to get a token, generally a hash of some kind, which represents the credit card's primary account number. When you want to bill the card, you pass the token and other transaction details, and they process they payment.
Here is an straightforward article about the process:
http://www.creditcards.com/credit-card-news/tokenization-to-fight-credit-card-id-theft-1282.php
There are lots of options for this these days:
- https://www.adyen.com/blog/tokenization-payment-technology-guide
- http://www.elementps.com/software-providers/security/pass/
- http://www.cybersource.com/products_and_services/payment_security/payment_tokenization/
For more information on that approach you can use the Google Search: Credit Card Tokenization.
You can but it's expensive to do.
You need to have DNS provided by another service or a dedicated DNS server.
You need to have a dedicated server running your SQL Server database and nothing else.
You need to use PCI approved software.
Your Database server needs to be within the same Data center as your Web Server else you will have poor performance.
So it's best to either host your site on a PCI secure host or setup your servers as I described.