[pointyhatuk]

That's totally shit.

Its also why we invoice and take wire payments rather than storing CC details. There's just so much to go wrong.

Also PKI is shit for this sort of thing. As demonstrated, the moment that public key is gone, then the whole system falls like a house of cards. For the non believers of this fact, why else would there be a certificate revocation list and root CA updates for windows periodically...

[toomuchtodo]

Using a processor who stores the card number outside of your infrastructure (ie. Stripe) can also be helpful.

[dangrossman]

Even better to use someone that isn't your payment processor, so that should you need to change payment processors you don't also have to re-acquire all the billing info from your customers. You can use Stripe today, PayPal tomorrow, and Braintree the next if that's what works best for your business.

Card vaulting as a service: https://spreedly.com/ ($10/mo for up to 5000 cards)

[scarmig]

Isn't that just adding one more point of failure? I don't trust myself, I barely trust Stripe or Paypal, and I've not even heard of spreedly.

[dangrossman]

There's always going to be single points of failure, but which is more likely: you want or have to change payment processors (you've been terminated, your fees have gone up, you want to switch to a lower cost provider) or you want to change flat-rate vaulting services? Plus, Spreedly will give you your data if you leave, whereas there is no way to get stored billing info out of most payment processors.

[gbuckingham89]

Until they have a security breach.

[ricardobeat]

Better rely on someone who's sole job is securing that info than doing it yourself.

[mrweasel]

Storing credit card info just helps make you a bigger target. If your a small company, better let someone else store card info, let them be the target.

Also you're fined by the credit card companies if you lose card information. I believe it's a per card fine, so it get expensive really quickly.

Actually I don't get why any company would choose to store credit card information, when most payment providers will do it for you.

[Killswitch]

Stripe is amazing... I trust them, someone hacks me, awesome, you got password hashes and stripe customer keys, all worthless.

[dpeck]

Not exactly worthless, depending on the hack someone could still charge an awful lot to your customers and make you have a bad day.

But yes, significantly better than other situations.

[fudged71]

But you still might need to consider data residency issues and making your customers aware of where their data is being stored.

[raverbashing]

Yes

But if that happens, it's not your responsibility (at least not 100%), it's theirs

[hopeless]

Following the traditional responsibility/accountability dichotomy: They are responsible for storing the cc number securely but you are accountable when something goes wrong (because you gave them that task)

Much like Linode are responsible for hosting my clients site but I sigh am accountable when something goes wrong.

[jervisfm]

In what ways are wire payments better than using credit cards? In wire payments aren't you using the actual bank account numbers along with routing numbers which is also very sensitive information ?

Also I do not think, but I am not sure, that fraudulent wire payments/transfers are reversible.

[spangborn]

They're not. You're right.

Wire transfers often are not able to be undone once they happen (and are accepted by the other bank). This is the reason why there's so much verification that happens in wire transfers. (I helped develop 2nd factor authentication used for authenticating wire transfers for a financial company)

Credit card charges can be reversed.

http://www.reba.net/news/wtransfer