Wait, is storing credit card numbers in a database allowed?
Basically, you can store it but it has to be protected in accordance with PCI DSS standards. Having this information in your database makes you an extremely attractive target for hackers. Do you think you can protect it? Think of it better. Your server and network also must be secure. Paranoidly secure. And your business processes too. And if any piece of this puzzle is not PCI compliant, you risk being hit with up to $200 000 fine.
But does it mean you should forever forget about the convenience of storing credit cards? No it does not. The point is that “storing credit card numbers” and “storing credit cards” is not the same.
Tokenization is the answer
A number of payment gateways collect and store your credit card information for you. Since working with credit cards is their primary business, the PCI requirements are much stricter for them, and the level of security and protection of this extremely sensitive data is complex and even sophisticated. And you can leave all the headache to professionals, still enjoying the possibility to, how we call it, “store credit card” for future use. The point is that upon authorization, they provide you with a token, a unique identifier that cannot be converted into the actual number of the credit card: it’s simply NOT an encrypted number, but rather a reference to the particular card stored. When you want to bill the card, you pass the token and other transaction details, and the payment gateway processes the payment.
The greatest thing is that since the database of your software does not contain credit card numbers, a simple principle works: data thieves can’t steal what isn’t there. You have a token only, and it’s nearly impossible for hackers to reassemble the credit card number through decryption or reverse engineering.
This kind of magic is possible with…
Skip this paragraph if you know what X-Payments is=)
X-Payments is a PA-DSS certified payment application developed by X-Cart team for merchants who look for a solution that integrates the shopping cart with 45+ payment gateways in a fully PCI compliant way and enables safe and convenient customers’ credit card information storing to use for new orders, reorders or recurring payments.
To be exact, X-Payments supports tokenization for:
- Authorize.Net CIM
- FirstData E4(SM)
- Chase Paymentech Orbital
- Global Iris
- Elavon payment gateway
- PayPal Payments PRO (PayPal API)
- PayPal Payments Pro (Payflow API)
- American Express Payment Gateway
- SagePay v3
- Intuit Quickbooks
- Quantum Gateway XML integration
- 5th Dimension Logistics
- Meritus Payments
- Payflow Pro
Not found your gateway? Request it here!
What it looks like
Alex Mulin, X-Payments Product Manager, crafted a good collection of video overviews for you, and since the interface is version-specific (different for X-Cart 4 Classic and X-Cart 5), please make sure you view the video for your solution. .
Admin side – How to create a new order (1m 37s)
Customers side – Saving credit cards in X-Payments 2.x (2m 02s)
Selling subscriptions – requires this free extension installed – (3m 13s)
Admin side: X-Cart 5 AOM and X-Payments – BFF (2m 01s)
Customers side: Saving cards in X-Cart integrated with X-Payments (2m 00s)
The best way to find out if this works for you or not is to set up a trial account and receive a free 14-day X-Payments Basic subscription and access its full functionality. No credit card required so you don’t have to worry about automatic renewal or purchase charges.