As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.

如上所述，不要将信用卡信息存储在数据库中。这是一个麻烦的秘诀。这样做将使您成为黑客的一个非常有吸引力的目标，如果他们成功地找回了他们，那么您的业务就会结束​​，并可能毁掉您的生活以及信用卡号码被盗者的生活。

Having said that, here are three things to consider:

话虽如此，这里有三件事需要考虑：

1) Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billingservice. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.

1) 您最好的选择是使用提供定期计费的支付处理器/支付网关。这方面的一个例子是Authorize.Net 的自动重复计费服务。一旦您设置了订阅，他们将每月自动为您自动向用户收费，并让您知道交易结果。它可以为您节省大量工作，并免除您存储信用卡信息的责任。

2) If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).

2) 如果您确实存储了商店信用卡号，则必须遵循PCI 指南. 这些准则由支付卡行业制定，定义了您可以做什么和不可以做什么。它还定义了信用卡信息必须如何存储。您将需要对信用卡号进行加密，并且您应该（但不是必须）加密相关信息（到期日期等）。您还需要确保您的 Web 服务器和网络是安全的。未能满足 PCI 合规性将导致您的商家帐户丢失并永远被禁止拥有真正的商家帐户。这将限制您使用不太灵活的第三方处理器。请记住，PCI 指南是一个良好的开端，但对于在线安全而言，它几乎不是“如何做”。您的目标是超过建议（很多）。

3) State and country specific laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.

3) 州和国家/地区的特定法律取代 PCI 合规性。如果您遭受数据泄露并且信用卡号被盗，您可能面临刑事起诉的风险。法律因州而异，并且不断变化，因为立法者才刚刚开始意识到这是一件多么严重的事情。

As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfishis a good start and if you use PHP the mcrypt libraryis recommended (example).

就加密而言，请确保您阅读哪些加密算法是安全的并且尚未被破解。Blowfish是一个好的开始，如果您使用 PHP，推荐使用mcrypt 库（示例）。

The safest way is to NOTstore the credit card information on your system, but let a 3^rdparty payment provider do it for you.

最安全的方式是不是存储系统上的信用卡信息，但让一个3^次第三方支付提供商为你做它。

It's not required that you use a 3rd party payment provider like PayPal, etc. – but you need to be PCI compliantif you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI complianceto grasp how serious it is to be PCI compliant.

不要求您使用 PayPal 等第三方支付提供商，但如果您要存储支付卡信息，则需要符合 PCI 标准。阅读这篇关于BC Ferries 的文章，他们因未跟上 PCI 合规性而面临巨额罚款，以了解PCI 合规性的严重程度。

My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.

我现在的雇主正在接受 PCI 合规——这不是一个微不足道的过程，需要工作人员进行审计。执法取决于国家和州/省法律——加拿大 IIRC 要求您获得 PCI 雇佣委员会的 PCI 认证，而美国的一些州允许 PCI 合规审计公司代替 PCI 委员会任职。