Storing partial credit card numbers

Question

Possible Duplicates:

1. Best practices for taking and storing credit card information with PHP
2. Storing credit card details
3. Storing Credit Card Infor

Answer 1

Your specific question is answered in sec 3.3 of the PCI/DSS document. First six and last four are max for display. Customer (paper?) receipts are more restrictive. Those with a legitimiate need to know can see full card data.

My recommendation is to contact your merchant provider and see what options are available to you. A number of the modern transaction gateways have "vault" features where sensitive information is stored at the provider and you simply reference customers by a token number when you want to bill them or check account information.

Along the same lines use of transaction specific tokens can be used to reference needed data stored on the providers system.

However I can't stress enough the importance of reading and understanding PCI DSS. Simply punting secure storage does not magically obsolve you from being subject to PCI compliance requirements!! This is only possible when your system never touches full card data.