XF 2.2 Does XenForo store basic credit card information for a subscription payment?

[robdog]

When I use the user upgrades payment path, either subscription or one time upgrades, it doesn't seem to return and store any basic credit card information in the transaction log:

1. CC Type
2. CC Exp Date
3. Last 4 digits.

I can make a custom plugin to purchase something and that information is stored. (its in payment_method_details) Am I missing something or possibly looking in the wrong place?

 

[Paul B]

Nothing is stored in XF.

 

[Arantor]

Storing such data would require you to be PCI DSS certified for handling that data - far better to offload that to someone like Stripe.

 

[Mendalla]

Am I missing something or possibly looking in the wrong place?

Please read Arantor's response. Stripe and Paypal are experienced, well-regarded payment services who know how to store that kind of information securely. Let them do the heavy lifting on this.

 

[wedgar]

Please read Arantor's response. Stripe and Paypal are experienced, well-regarded payment services who know how to store that kind of information securely. Let them do the heavy lifting on this.

Additionally there is potential legal liability if you store your customer’s credit card information.

 

[robdog]

Just to be clear, I was not asking about storing full CC, CVV2 or name on card. I was wanting to store they type of card used and the last 4 digits so I could display to the end user what card they used for the subscription. Expirations date might be a bit much and could be dropped for security purposes.

 

[Mendalla]

Just to be clear, I was not asking about storing full CC, CVV2 or name on card. I was wanting to store they type of card used and the last 4 digits so I could display to the end user what card they used for the subscription. Expirations date might be a bit much and could be dropped for security purposes.

I am pretty sure PayPal receipt emails show which payment method was used. I would assume Stripe will be similar. The customer needs that to be able to reconcile their statements. So having it on your site would be redundant. And I, personally as a user, would not want any CC info stored locally. I can track that myself.

 

[Forsaken]

When I use the user upgrades payment path, either subscription or one time upgrades, it doesn't seem to return and store any basic credit card information in the transaction log:

1. CC Type
2. CC Exp Date
3. Last 4 digits.

I can make a custom plugin to purchase something and that information is stored. (its in payment_method_details) Am I missing something or possibly looking in the wrong place?

https://listings.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf

The first link is a brief overview of compliance requirements, while the last one is more in-depth. Rule of thumb is if you do not have to store it, you should not store it.

 

[Arantor]

The safest route is to ask Stripe for it after they processed it - you can retrieve this from Stripe’s services and as long as you’re not storing it, you don’t need full PCI DSS protections in place. (But note that processing it is still to be done with caution even if you’re not storing it, ideally to ensure it can’t end up in logs, such as tagging it as SensitiveParameter in the code)