DON'T DO IT

不要这样做

There is simply far too much risk involved, and you will typically need to be externally audited to ensure that you're complying with all the relevant local laws and security practises.

所涉及的风险实在是太大了，您通常需要接受外部审计，以确保您遵守所有相关的当地法律和安全惯例。

There are many third-party companies that do it for you that have already gone through all trouble of making sure their system is secure, that they comply with local laws and so on. An example in the US that I have used in the past is authorize.net. Some banks also have systems that you can hook into to store credit card data and process payments.

有许多第三方公司为您做这件事，他们已经竭尽全力确保他们的系统安全，遵守当地法律等等。我过去在美国使用的一个例子是authorize.net。一些银行也有系统，您可以连接到这些系统来存储信用卡数据和处理付款。

I realise the country you're in may not have as strict laws as the U.S., but in my opinion that's no excuse for rolling your own. When you're dealing with other people's money, the risk is just too much to warrant.

我意识到你所在的国家可能没有美国那么严格的法律，但在我看来，这不是你自己动手的借口。当你处理别人的钱时，风险太大了。

In 2020, use Stripe, and avoid storing payment information yourself.

2020年，使用Stripe，避免自己存储支付信息。

HISTORICAL ANSWER:

历史答案：

For this, I recommend a comprehensive, layered approach.

为此，我推荐一种全面的、分层的方法。

First, storing credit card info should be an option.

首先，存储信用卡信息应该是一种选择。

Secondly, the data should be stored securely, using a strong form of encryption. I recommend AES with 256bit key size. Make sure when choosing your key, you use the entire keyspace (it's a rookie mistake to just use a randomly generated alphanumericsymbol string as a key).

其次，数据应该使用强加密形式安全存储。我推荐使用 256 位密钥大小的 AES。确保在选择密钥时使用整个密钥空间（仅使用随机生成的字母数字符号字符串作为密钥是新手错误）。

Third, the AES key needs to be properly secured. Do not embed the value inside your code. If you are using windows, consider using DPAPI.

第三，需要妥善保护 AES 密钥。不要将值嵌入您的代码中。如果您使用的是 Windows，请考虑使用 DPAPI。

Fourth, you will want to setup database permissions so that applications and computers will have access on a need to know basis.

第四，您需要设置数据库权限，以便应用程序和计算机可以在需要知道的基础上访问。

Fifth, secure the connection string to your database.

第五，保护到您的数据库的连接字符串。

Sixth, ensure that any application that will have access to the credit card data, will properly secure it.

第六，确保任何可以访问信用卡数据的应用程序都能正确保护它。

At miniumum follow the PA DSS (Payment Appliction Data Security Standard). More info can be found here:

至少遵循 PA DSS（支付应用程序数据安全标准）。更多信息可以在这里找到：

https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

Also it would be wise to look at PCI DSS, which could be found here:

此外，查看 PCI DSS 也是明智之举，可在此处找到：

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

You should avoid storing any credit card information due to the risks to you and to customers of doing so.

您应该避免存储任何信用卡信息，因为这样做会给您和客户带来风险。

Authorize.nethas a Customer Information Manager APIthat allows you to store customer information in their system. It costs $20/mo. as an add-on to your account.

Authorize.net有一个客户信息管理器 API，允许您将客户信息存储在他们的系统中。费用为 20 美元/月。作为您帐户的附加组件。

Encrypt encrypt encrypt. Don't decrypt if you don't absolutely have to - don't decrypt to show the last 4 digits. Don't decrypt to tell the user what their card was.

加密加密加密。如果您不是绝对必须，请不要解密 - 不要解密以显示最后 4 位数字。不要解密告诉用户他们的卡是什么。

In fact, if you can, don't even keep the encrypted card numbers in the same physical server as the rest of the user information.

事实上，如果可以的话，甚至不要将加密的卡号与其他用户信息保存在同一台物理服务器中。

I suggest you encrypt card numbers with a strong algorithm( similar AES) and a long secret key.

我建议您使用强算法（类似 AES）和长密钥对卡号进行加密。

Then,keep your secret key in a secure place similar an external hard or optical disk. When you need to secret key,use external hard.

然后，将您的密钥保存在类似于外部硬盘或光盘的安全地方。当您需要密钥时，请使用外部硬盘。

If you are using a shared host, you have to store your secret key in an external device.

如果您使用共享主机，则必须将密钥存储在外部设备中。

Strict your database

严格你的数据库

1. Define strict users for your database
2. Remove root user of your database if it is not needed.

1. 为您的数据库定义严格的用户
2. 如果不需要，请删除数据库的 root 用户。