Payment API Key Security

Hello.  My client is needing a booking system so I was recommending Events Booking and I would purchase the Stripe plugin for him. He ask how the API keys are stored and I said within the database, but he does not want me to use Event Booking in concern if the database was hacked the hackers would have the API keys - even though my server, site, and database is very secure. Besides the fact that other booking components store the API keys the same way, is there something I can tell him to ensure him that it is ok to have the API keys within the database?

Thank you!

If he does not want it to be stored in database, we can store it directly in the code. However, if the site is already hacked, that data could still get lost, too

There is no better way, I'm afraid of

Tuan

Thanks a bunch Tuan, and makes sense. I relayed your message and he asking if the API keys could be encrypted (which I think he meant hashed) or an option to have the API keys in a separate database or split up somehow - however with my understanding API keys need to be in cleartext?

Thanks again!

Even if it is encrypted, it is still need to be decrypted to pass to the payment gateway with the right value

So even if it is encrypted, and the site was hacked, the hacker (if he wants) can still decrypt the keys, no way to make it 100% safe when the site is already hacked

Regards,

Tuan

Make sense! Thanks!

You're welcome !

Tuan