Credit card security question

[Treefrog]

Hi all,

I need some advice although it's not scrictly PHP related. What is the
prefered method to get credit cards off a web server in an online shop
scenario? I can think of -and have used- a few email based methods but they
kind of negate the reason for having SSL.

I just wondered how other people get CC details from the web server to the
person who is debiting it. Is there an industry standard I don't know about?


Thanks,

Nathan

[Gerhard Fiedler]

On Thu, 2 Oct 2003 11:18:20 +0100, Treefrog wrote:

>I need some advice although it's not scrictly PHP related. What is the
>prefered method to get credit cards off a web server in an online shop
>scenario? I can think of -and have used- a few email based methods but they
>kind of negate the reason for having SSL.
>
>I just wondered how other people get CC details from the web server to the
>person who is debiting it. Is there an industry standard I don't know about?

I think the "industry standard" is to not send CC details by mail, or
to use encrypted mail.

The person who is debiting the amounts could access the server where
the CC details are stored through SSL.

Or you use encrypted mail, like PGP.

[Treefrog]

"Ian.H" <ian@WINDOZEdigiserv.net> wrote in message
news:pan.2003.10.02.10.36.54.437892@hybris.digiser v.net...

> On Thu, 02 Oct 2003 12:18:20 +0100, Treefrog wrote:
>

> > I just wondered how other people get CC details from the web server to

the

> > person who is debiting it. Is there an industry standard I don't know
> > about?

>
>
> Yup.. a "gateway" =)
>
> See the likes of Worldpay etc and how it's done through them.. you _never_
> store the details yourself on your server for obvious reasons.

Thanks for the reply Ian but I don't want to use a third party.
I, or rather my customers, will not be connected to the net 24/7. They will
dial up a few times a day and collect the orders from the server. I presumed
that many other companies work this way but wanted to know how they get
around the security issue.

I was thinking encrypt an email containing the orders and ship it accross to
a VB program on the end machine where they would be decrypted. This is
obviously a total hassle for me to code, is their another way?

[Antony Booth]

You would require a payment gateway, but there are 2 types.

1) Like worldpay, transactions are processed and verified by them. They
receive the money and forward it to your bank account. For this, they charge
you a fixed monthly fee, and a percentage of the transaction value.

2)Transactions are processed and verified by the gateway which then directs
the funds straight to your merchant account. They too charge a fixed fee and
a transaction percentage, but this is lower as you are handling your own
banking (including account fees). Certain gateways work with specific banks,
some of which aren't muti-currency.

Most of the transaction processing is done via a link to the gateway
website. Some gateways allow you to customise the forms used on their site,
which would enable the transaction process to appear as if it was part of
your website.

Some charge additional fees for anti-fraud services too, so shop around.
Something like worldpay is an all singing, all dancing service, but for
this, they strip you of your profit margin.

Here are some gateways for you to check out: -

[url]http://www.cybersource.com/home.html[/url]
[url]http://www.secpay.com/[/url]
[url]http://www.datacash.com/[/url]

Antony Booth

"Treefrog" <treefrog@mountainbikes.co.uk> wrote in message
news:3f7bfb5c$1@news.1anetworks.net...

> Hi all,
>
> I need some advice although it's not scrictly PHP related. What is the
> prefered method to get credit cards off a web server in an online shop
> scenario? I can think of -and have used- a few email based methods but

they

> kind of negate the reason for having SSL.
>
> I just wondered how other people get CC details from the web server to the
> person who is debiting it. Is there an industry standard I don't know

about?

>
>
> Thanks,
>
> Nathan
>
>

[Treefrog]

I apologise to everyone, I should of made clear that I don't want to use a
third party gateway. Thanks for your replies though.
I have the facilities to debit credit cards, and don't see why I should give
away any profit just to let somebody take care of it for me.

How do the rest of us non-gateway people do it?

Thanks,

Nathan

[Antony Booth]

You would have to process the payment by storing the transaction on a
database or an email account for manual processing. You should make sure the
transaction details are entered via an ssl connection and any data stored or
transmitted should be encrypted. Legally, you may be responsible for
confidential data you transmit from your server to a data processing
recipient. Storing customer credit card details has a high risk of 3rd party
fraud.

Isn't your existing service costing you money? 2% per transaction maybe? If
so, you could do all your credit card transactions via a web based gateway.
A card swipe reader attached to a PC as an input device to a secure php
page. This would also make transaction processing possible from anywhere.

Antony Booth

"Treefrog" <treefrog@mountainbikes.co.uk> wrote in message
news:3f7c0de5$1@news.1anetworks.net...

> I apologise to everyone, I should of made clear that I don't want to use a
> third party gateway. Thanks for your replies though.
> I have the facilities to debit credit cards, and don't see why I should

give

> away any profit just to let somebody take care of it for me.
>
> How do the rest of us non-gateway people do it?
>
> Thanks,
>
> Nathan
>
>

[nigel]

You may find that you are breeching your banks T&C's by taking payments in
this way.

However a few years ago we were just taking the CC details and storing them
in a database (preferable on a seperate machine, behind a firewall). You can
just do an SSL connection and call the data back through to your browser.
Its not difficult to do, just standard PHP/MySQL stuff.



"Treefrog" <treefrog@mountainbikes.co.uk> wrote in message
news:3f7c0de5$1@news.1anetworks.net...

> I apologise to everyone, I should of made clear that I don't want to use a
> third party gateway. Thanks for your replies though.
> I have the facilities to debit credit cards, and don't see why I should

give

> away any profit just to let somebody take care of it for me.
>
> How do the rest of us non-gateway people do it?
>
> Thanks,
>
> Nathan
>
>

[renster]

What do people here think about the idea of keeping half of the cc number
in the database and emailing the other half to the admin/processor? I read
that as a suggestion somewhere. Is there a substantial security improvement
in doing it this way (ie not storing the whole number in one place)?