Search code examples
ruby-on-railsdevisepci-dss

How to securely store credit card info as part of a devise user in rails?

I am making a web service where credit card information will be stored as part of a user profile and will be used to process payments.

However, I don't like the idea of saving the card information as raw text in a database. Instead, I would like to hash the card number in some way so that if a malicious person got access to the database, the users of the site will remain as safe as possible.

I imagine that it could work similar to how the password is hashed, but an important difference is that I need to be able to un-hash and send the credit card information through a 3rd party api.

How would I go about adding a hashed credit card to a Devise user in rails?

Thanks for any help

Solution

  • I would strongly recommend against storing credit card numbers in your own database. It's very difficult to meet the Payment Card Industry Data Security Standard - a.k.a. PCI compliance.

    http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

    Basically, even if the card numbers are hashed, you are still responsible to meet very high security standards. Only credit card processors and/or gateways (PayPal, Stripe, Authorize.net, etc.) typically store credit card information because it's part of their job to worry about meeting these strict PCI standards so you, as the merchant, don't have to worry about it. It's relatively easy to use their servers to store your customers' encrypted payment info and allow the customer to retrieve it again when they want to make a new purchase. Because you, as the merchant, are never actually able to get access the card info, encrypted or not, you're not responsible if the card number gets stolen - the processor is.

    It's actually a great deal and a major selling point for most of these processors.

    EDIT

    Good news! It looks like Ordr.in has this service available and, from their FAQ, it looks like they're PCI compliant as well:

    Is Ordr.in PCI Compliant for credit card processing?

    Yes. We work with Braintree for PCI Compliant CC processing on all transactions.

    It looks like everything you need is here in the API docs - https://hackfood.ordr.in/docs/user#addCreditCard

    From what I can see, it's pretty simple. The user uses your service as a third party to create an account with Ordr.in. The user can save a credit card to their account (all stored on Ordr.in's servers) and then when the user wants to make a charge, they just log in with their email and password. Seems pretty straight forward! I can't vouch for ordr.in personally, but they look pretty legit.