我在想，最好的办法是在一个SQL数据库中存储的加密的信用卡号码的 C＃（.NET框架）。我应该做手工用字符串/ SecureString的/字节数组带有某种的对称加密？

我听说一个替代（也可能是更容易的选择），一个服务提供商（你将交易与）会给你一个键可用于检索交易信息。我不知道如何去了解这种方法，但这是更好的选择？我最想要的最安全和最安全的选择。我想成为的 PCI兼容和

解决方案   

我听说一个替代（也可能是更容易的选择），服务提供商（其中放置与交易）会给你可以用来检索交易信息的关键。

这是真实的。基本上，该方法是：

获取从客户/用户的信用卡信息。储存在 IN- code 变量（即不是一个文件或日志或数据库）。 发送信用卡信息到你的处理器（如Authorize.NET，付费软件，贝宝等）。 接收响应，其中包括一个令牌某种形式的。这是你的方式识别这个特殊的交易与处理器未来的通信。 存储在标记到数据库。加密将是很好，但不是必需的，因为令牌仅仅是指交易＃12345，而本身不具备的敏感信息。

I was wondering what the best approach is to store encrypted credit card numbers in a SQL database for C# (.net framework). Should I do it manually by using String/SecureString/Byte Array with some sort of symmetric encryption?

I heard that for an alternative (and probably the easier option), a service provider (which you place the transaction with) will give you a key that can be used to retrieve transaction information. I don't know how to go about this approach, but is this the better option? I want the most safest and most secure option. I want to be PCI compliant as well.

解决方案

I heard that for an alternative (and probably the easier option), a service provider (which you place the transaction with) will give you a key that can be used to retrieve transaction information.

This is true. Basically, the process is:

Get credit card information from customer / user. Store in in-code variable (i.e. not a file, or a log, or a database). Send credit card information to your processor (such as Authorize.NET, Payware, Paypal, etc). Receive a response which includes a "token" of some sort. This is the way you identify this particular transaction for future communications with the processor. Store the token into your database. Encryption would be nice, but not necessary, since the token simply refers to "Transaction #12345", and has no sensitive information by itself.