Professional Web Applications Themes

Credit card security question - PHP Development

Hi all, I need some advice although it's not scrictly PHP related. What is the prefered method to get credit cards off a web server in an online shop scenario? I can think of -and have used- a few email based methods but they kind of negate the reason for having SSL. I just wondered how other people get CC details from the web server to the person who is debiting it. Is there an industry standard I don't know about? Thanks, Nathan...

  1. #1

    Default Credit card security question

    Hi all,

    I need some advice although it's not scrictly PHP related. What is the
    prefered method to get credit cards off a web server in an online shop
    scenario? I can think of -and have used- a few email based methods but they
    kind of negate the reason for having SSL.

    I just wondered how other people get CC details from the web server to the
    person who is debiting it. Is there an industry standard I don't know about?


    Thanks,

    Nathan


    Treefrog Guest

  2. #2

    Default Re: Credit card security question

    On Thu, 2 Oct 2003 11:18:20 +0100, Treefrog wrote:
    >I need some advice although it's not scrictly PHP related. What is the
    >prefered method to get credit cards off a web server in an online shop
    >scenario? I can think of -and have used- a few email based methods but they
    >kind of negate the reason for having SSL.
    >
    >I just wondered how other people get CC details from the web server to the
    >person who is debiting it. Is there an industry standard I don't know about?
    I think the "industry standard" is to not send CC details by mail, or
    to use encrypted mail.

    The person who is debiting the amounts could access the server where
    the CC details are stored through SSL.

    Or you use encrypted mail, like PGP.
    Gerhard Fiedler Guest

  3. #3

    Default Re: Credit card security question

    "Ian.H" <ianWINDOZEdigiserv.net> wrote in message
    news:pan.2003.10.02.10.36.54.437892hybris.digiser v.net...
    > On Thu, 02 Oct 2003 12:18:20 +0100, Treefrog wrote:
    >
    > > I just wondered how other people get CC details from the web server to
    the
    > > person who is debiting it. Is there an industry standard I don't know
    > > about?
    >
    >
    > Yup.. a "gateway" =)
    >
    > See the likes of Worldpay etc and how it's done through them.. you _never_
    > store the details yourself on your server for obvious reasons.
    Thanks for the reply Ian but I don't want to use a third party.
    I, or rather my customers, will not be connected to the net 24/7. They will
    dial up a few times a day and collect the orders from the server. I presumed
    that many other companies work this way but wanted to know how they get
    around the security issue.

    I was thinking encrypt an email containing the orders and ship it accross to
    a VB program on the end machine where they would be decrypted. This is
    obviously a total hassle for me to code, is their another way?


    Treefrog Guest

  4. #4

    Default Re: Credit card security question

    You would require a payment gateway, but there are 2 types.

    1) Like worldpay, transactions are processed and verified by them. They
    receive the money and forward it to your bank account. For this, they charge
    you a fixed monthly fee, and a percentage of the transaction value.

    2)Transactions are processed and verified by the gateway which then directs
    the funds straight to your merchant account. They too charge a fixed fee and
    a transaction percentage, but this is lower as you are handling your own
    banking (including account fees). Certain gateways work with specific banks,
    some of which aren't muti-currency.

    Most of the transaction processing is done via a link to the gateway
    website. Some gateways allow you to customise the forms used on their site,
    which would enable the transaction process to appear as if it was part of
    your website.

    Some charge additional fees for anti-fraud services too, so shop around.
    Something like worldpay is an all singing, all dancing service, but for
    this, they strip you of your profit margin.

    Here are some gateways for you to check out: -

    [url]http://www.cybersource.com/home.html[/url]
    [url]http://www.secpay.com/[/url]
    [url]http://www.datacash.com/[/url]

    Antony Booth

    "Treefrog" <treefrogmountainbikes.co.uk> wrote in message
    news:3f7bfb5c$1news.1anetworks.net...
    > Hi all,
    >
    > I need some advice although it's not scrictly PHP related. What is the
    > prefered method to get credit cards off a web server in an online shop
    > scenario? I can think of -and have used- a few email based methods but
    they
    > kind of negate the reason for having SSL.
    >
    > I just wondered how other people get CC details from the web server to the
    > person who is debiting it. Is there an industry standard I don't know
    about?
    >
    >
    > Thanks,
    >
    > Nathan
    >
    >

    Antony Booth Guest

  5. #5

    Default Re: Credit card security question

    I apologise to everyone, I should of made clear that I don't want to use a
    third party gateway. Thanks for your replies though.
    I have the facilities to debit credit cards, and don't see why I should give
    away any profit just to let somebody take care of it for me.

    How do the rest of us non-gateway people do it?

    Thanks,

    Nathan


    Treefrog Guest

  6. #6

    Default Re: Credit card security question

    You would have to process the payment by storing the transaction on a
    database or an email account for manual processing. You should make sure the
    transaction details are entered via an ssl connection and any data stored or
    transmitted should be encrypted. Legally, you may be responsible for
    confidential data you transmit from your server to a data processing
    recipient. Storing customer credit card details has a high risk of 3rd party
    fraud.

    Isn't your existing service costing you money? 2% per transaction maybe? If
    so, you could do all your credit card transactions via a web based gateway.
    A card swipe reader attached to a PC as an input device to a secure php
    page. This would also make transaction processing possible from anywhere.

    Antony Booth

    "Treefrog" <treefrogmountainbikes.co.uk> wrote in message
    news:3f7c0de5$1news.1anetworks.net...
    > I apologise to everyone, I should of made clear that I don't want to use a
    > third party gateway. Thanks for your replies though.
    > I have the facilities to debit credit cards, and don't see why I should
    give
    > away any profit just to let somebody take care of it for me.
    >
    > How do the rest of us non-gateway people do it?
    >
    > Thanks,
    >
    > Nathan
    >
    >

    Antony Booth Guest

  7. #7

    Default Re: Credit card security question

    You may find that you are breeching your banks T&C's by taking payments in
    this way.

    However a few years ago we were just taking the CC details and storing them
    in a database (preferable on a seperate machine, behind a firewall). You can
    just do an SSL connection and call the data back through to your browser.
    Its not difficult to do, just standard PHP/MySQL stuff.



    "Treefrog" <treefrogmountainbikes.co.uk> wrote in message
    news:3f7c0de5$1news.1anetworks.net...
    > I apologise to everyone, I should of made clear that I don't want to use a
    > third party gateway. Thanks for your replies though.
    > I have the facilities to debit credit cards, and don't see why I should
    give
    > away any profit just to let somebody take care of it for me.
    >
    > How do the rest of us non-gateway people do it?
    >
    > Thanks,
    >
    > Nathan
    >
    >

    nigel Guest

  8. #8

    Default Re: Credit card security question

    What do people here think about the idea of keeping half of the cc number
    in the database and emailing the other half to the admin/processor? I read
    that as a suggestion somewhere. Is there a substantial security improvement
    in doing it this way (ie not storing the whole number in one place)?
    renster Guest

Similar Threads

  1. Store credit card info with Security
    By Samir A. Mamude in forum ASP.NET Security
    Replies: 1
    Last Post: January 8th, 08:27 PM
  2. SSL - TAKING CREDIT CARD DETAILS - SIMPLE QUESTION
    By sam1967@hetnet.nl in forum ASP
    Replies: 8
    Last Post: August 10th, 06:49 PM
  3. [PHP] Credit card/Debit card validation
    By Matt Matijevich in forum PHP Development
    Replies: 1
    Last Post: July 9th, 10:04 PM
  4. Credit card/Debit card validation
    By Sparky Kopetzky in forum PHP Development
    Replies: 1
    Last Post: July 9th, 09:54 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139