Credit Card Storage

I am testing NopCommerce and I'm using an Authorize.Net test account. I have found that a masked/encrypted version of the credit card number is stored in the database? Are the numbers stored anywhere else? Authorize.NET? I appreciate the help.

To better ask the question, we are filling out a payment gateway application form and one of questions asked is

Where/who stores the credit card info:
Merchant location only; merchant headquarters/corp office only; primary service provider; both merchant and service provider; other service provider; all apply

I know the masked credit card number is stored in the database. Do any of these other options apply? Thanks.

FunkDr wrote:
I understand that the credit card info is only stored when the "Credit Card Payments.Manual" payment method is used. This would not apply  for Authorize.NET

Thanks for the response. The credit card number is stored with Authorize.Net. It's encrypted but it's there.

The PlaceOrder function in OrderProcessingService will store an encrypted version of all the CC info if AllowStoringCreditCardNumber is true.  This will happen for any payment plugin that sets that field.  My copy of the Authorize.Net plugin doesn't touch the field which means it should default to false.

Note that the encrypted MaskedCreditCardNumber field is different from the encrypted CardNumber field.  The masked version is altered to asterisks and just the last 4 digits before it gets encrypted.   There is no way to go back to the full number.  That will be stored with every plugin because storing just the last 4 digits is considered OK by PCI standards.

Very helpful info. Thanks

Thanks for providing this valuable information.