Best way to save credit cart info

Your payment gateway will have instructions of exactly what to do.

@jlrdw I'm using a payment api in this case, not the ones that Laravel comes with like Cashier. I'm using it because of where in the world I live.

Use encryption, make sure you have good authorization in place, test all on a "made up" card and see if you can get around security. But you will still need a payment processing gateway.

Even in your country, its probably illegal to store the customer's credit card details - especially if your customers might be from other countries.

https://www.fisglobal.com/en/insights/merchant-solutions-worldpay/article/what-you-need-to-know-about-pci-compliance-levels

@snapey I didn't know saving them could be illegal, I use Uber in my country and they save my card info. I'll look more carefully at the API I'm using to see what they recommend.

@msslgomez if I am not mistaken Uber uses Braintree to handle their payments

anyone accepting card payments must be PCI compliant

Watch this: https://laracasts.com/series/how-to-accept-payments-with-stripe/episodes/1

I know you are not using stripe, but Jeffrey explains PCI compliance. Basically if you use a Gateway, and you don't store a card, then you are okay. He explains in the video that the service (Stripe in this case) handles the PCI compliance.

So the video will explain basically how to accept payments the right way.

I have done similar with Paypal for a non profit, we never stored any card data, all of that was handled on the Paypal side. There was even recurring donations.

The video I referenced is free.

Even with a payment gateway like Stripe, you still have to take measures yourself to be PCI compliant - it doesn't just "handle the PCI compliance" completely for you. Going with Stripe as an example, you still have to make sure you are doing stuff like serving your site over an SSL and never sending customer payment information to your server (which would mean you would need to purchase, implement, and maintain security software and hardware) unless you absolutely need to. That means in most cases you should be using their JS solution (Stripe Elements) to send payment information directly to stripe's servers so it never touches your server. Even if you don't save any of payment information on your servers (which you shouldn't be anyways), you'll still have to jump through more hoops to be PCI compliant than if you just send it directly to Stripe's servers.

Using a payment gateway like Stripe definitely helps take some of the complexity out of being PCI compliant, but it by no means takes care of it all for you.

Stripe's guide to PCI compliance: https://stripe.com/guides/pci-compliance

Q. "Best way to save credit cart info?"

A. Do not do that. You will not be PCI compliant, and would be liable for any losses due to stolen card details.

If you really must, use a hardware crypto service, such as provided by Entrust. This will enable you to encrypt the data in a way that make it exceedingly difficult to decrypt, without the keys stored in the hardware crypto unit.

Note that this is:

1. Very expensive
2. What your bank / stripe etc. use
3. Inconvenient to recover the card information when you need it.

It is generally best to leave it to a payment processing organisation, such as Paypal, Stripe etc. who will provide the security for you.