We have implemented numerous eCommerce applications (for clients) and to
begin with we did capture the credit card information which was stored
(encrypted) in ASP.NET profile, it was then removed when payment was either
successful or not. However that was many moons ago and since then we have
totally moved away from actually capturing the credit card data ourselves.
All payment service providers should provide a number of services and
usually one where you hand control over to them to take the card information
and authorise the payment, dealing only with a transaction ID or order
number as you mention. Clearly this is a more secure and PCI compliant
approach. If you are careful you can embed this into your checkout process
and with most providers tailor the appearance of the card page so that the
user gets the impression that they have not left your site. This also has
the advantage that it will handle all 3D Secure authorisation steps without
you having to manually code these (something I tried once.... and never will
I cannot directly answer your question about best practices for storing card
data (obviously strong encryption is a must) but if you can you should avoid
this at all costs (IMHO)
[mailto:web400-bounces+maurice.oprey=xmli5.com@xxxxxxxxxxxx] On Behalf Of
Sent: 28 September 2011 22:04
To: Web Enabling the AS400 / iSeries
Subject: [WEB400] How do I store data for payment processing on a
The solution for this question is more specific to ASP.NET MVC, but the
solution that is needed is more of a standard across any web platform. I am
hoping maybe you guys have an idea.
I have all of the details of my question at
Basically, I am working on an eCommerce application. After the person has
entered their billing address and credit card details, we want to display a
confirm your payment screen before processing the transaction. How do we
store that data so that we can continue with processing it after they
confirm the data is accurate?
One thought I have seen is storing the data (encrypted) in the session.
Another (that I don't like) is storing it in a temporary table (encrypted).
A third was to do a PreAuth and PostAuth with the card processor and just
deal with a (mostly) meaningless order id.
What have you done in the past? What is the "best practice" here?
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a
message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
As an Amazon Associate we earn from qualifying purchases.