Secure way to store user account credit in Rails - ruby-on-rails

In a Rails 4 application, I need to implement one-time payment system and add credits to user accounts.
Considering integrity and security, what is the best practice to store the user credit data?
Should I only implement an attribute to users' model or something else?
NOTE1: I use a custom payment system and none of the regular payment systems are of my use.
NOTE2: As it seems, using multiple databases in a rails application is not an standard.

To securely store users' credit data in your database, you will need to have PCI-DSS certification first and foremost. You can read more about it here.
To avoid that, best way would be to have a payment gateway store it for you, from where you can use the credentials for payments as required.
EDIT:
As per your comment for protecting important attributes NOT related to payment, you should try the Strongbox gem.

I think what you mean by "credit data" is not a credit card number, but an integer indicating how much credit a user has in your own "currency". As long as it's not absolutely confidential how much credit a user has, I don't think storing is a problem. It's rather about updating it.
Make sure it's stored in a central place, like the database. The session is not a good place for that.
Make sure to avoid race conditions when removing credit, read more about it here

Related

How to store card information inside our app from Paypal?

I have been reading Paypal documents for past one week and so.
There are so many things but i did not get any information regarding storing user's card information.
I need something similar like UBER
Please if you are talking about actual credit card numbers, don't store anything of the sort inside of your app! Just don't do it! For the your sake and everyone else avoid it at all costs!! There is too much risk involved, and you can find yourself in the middle of a security nightmare, not to mention finding yourself sued.
Instead Paypal has other ways to handle what you want to do.
See this here https://developer.paypal.com/docs/integration/direct/store-a-credit-card/
Paypals Reference Transactions API that returns an unique reference ID allowing you to make future transactions without actually storing card info.
Here is more pertinent information as well https://developer.paypal.com/docs/classic/express-checkout/integration-guide/ECReferenceTxns/

Is it possible with any payment interface to keep cards on file to charge on demand?

I'm making a site for a coaching company, and they've requested that we somehow keep card information on file (I informed them that that is a big no-no, and most payment API's will handle that side of things for us) so that we can charge the cards 'on-demand'. For example, the person shows up to a coaching session, types in a pin, and it charges their card for one session.
Best case scenario- this also works for an online store as well for payment processing. Once the card is on file, they can create a card, punch in their password, and they are good to go.
We are currently using Authorize.net with Ruby on Rails. I'm still fairly new to the development world, and this is my first time needing to handle payment processing. As far as I have seen, there isn't as much documentation as there should be. They would prefer not to use Stripe, as it has high per-charge fees, and most of our fees are $8-$15, and they also want to avoid PayPal, as it has been known to freeze accounts for no good reason.
Storing credit card information on your side is not practical for two reasons - security and cost (PCI compliance). Your best option is to use Stripe or Braintree.
Both offer great libraries and work as payment aggregators (no need for a merchant account with a bank to start processing payments).
https://stripe.com/docs/api#cards
https://developers.braintreepayments.com/ios+ruby/sdk/server/payment-method-management/create
For Authorize.Net, you would use Customer Information Manager for secure data storage. http://developer.authorize.net/api/reference/starting_guide.html#customerInfoManagerID

How to securely store credit card info as part of a devise user in rails?

I am making a web service where credit card information will be stored as part of a user profile and will be used to process payments.
However, I don't like the idea of saving the card information as raw text in a database. Instead, I would like to hash the card number in some way so that if a malicious person got access to the database, the users of the site will remain as safe as possible.
I imagine that it could work similar to how the password is hashed, but an important difference is that I need to be able to un-hash and send the credit card information through a 3rd party api.
How would I go about adding a hashed credit card to a Devise user in rails?
Thanks for any help
I would strongly recommend against storing credit card numbers in your own database. It's very difficult to meet the Payment Card Industry Data Security Standard - a.k.a. PCI compliance.
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
Basically, even if the card numbers are hashed, you are still responsible to meet very high security standards. Only credit card processors and/or gateways (PayPal, Stripe, Authorize.net, etc.) typically store credit card information because it's part of their job to worry about meeting these strict PCI standards so you, as the merchant, don't have to worry about it. It's relatively easy to use their servers to store your customers' encrypted payment info and allow the customer to retrieve it again when they want to make a new purchase. Because you, as the merchant, are never actually able to get access the card info, encrypted or not, you're not responsible if the card number gets stolen - the processor is.
It's actually a great deal and a major selling point for most of these processors.
EDIT
Good news! It looks like Ordr.in has this service available and, from their FAQ, it looks like they're PCI compliant as well:
Is Ordr.in PCI Compliant for credit card processing?
Yes. We work with Braintree for PCI Compliant CC processing on all
transactions.
It looks like everything you need is here in the API docs - https://hackfood.ordr.in/docs/user#addCreditCard
From what I can see, it's pretty simple. The user uses your service as a third party to create an account with Ordr.in. The user can save a credit card to their account (all stored on Ordr.in's servers) and then when the user wants to make a charge, they just log in with their email and password. Seems pretty straight forward! I can't vouch for ordr.in personally, but they look pretty legit.

Handle payment via bank transfer for Rails

I am building a rails application for place booking. The app should be able to facilitate bank transfer (not VISA/Mastercard direct payment) for payment. Basically we let users know our bank account number. User can then pay via iBanking / go to ATM or Bank. Nah, when we received the payment, we should know whom this payment comes from and from which booking.
How are we supposed to know whom send it and for which booking it is, while there is no additional data in the transfer information other than amount of money. I heard we can apply a unique cents identifier, like when the payment is $8, we make it $8 2 cents to link it to the user who sends it and the booking data.
Is that the best practice in linking the actual payment data and the booking data? If it is, is there any ruby gem capable for generating the unique cents identifier? Or if not, is there any better approach?
Thank you for your assistance.
Bit vague, but a lot of companies that bill people, and allow the user to pay by bank transfer, require the user to put a specific reference number on the transaction, which ties the transaction back to that user's account.
It needs to be made obvious to the user (and it usually is) that if they fail to put in the right reference number then the payment won't be linked with them, and therefore won't show up as a credit on their account.
This doesn't feel like a particularly satisfactory system, as it puts the onus on the user to get it right or risk being charged extra for late payment, or have a hassle sorting it out. But, lots of successful companies seem to operate like this.

Making ad-hoc card charges

I have a requirement to make ad-hoc charges to users credit cards. As I don't want to get anywhere near having to worry about credit card storage and all the associated stuff that comes with it I'm looking for a middleman service that would handle all this for me, ideally supplying me with an API that I can use to add/remove cards, and make charges through.
I don't need recurring billing or anything like that just a simple card store for ad-hoc charges.
Does anyone have any recommendations based on previous actual experience, or know of any that are worth looking at?
Authorize.Net's Customer Information Manager (CIM) does exactly what you're looking for.

Resources