SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Delayed Transactions - CC Number Storage?

    Hello. I've built a few shopping carts and online stores, but have a new (to me) issue with one of my clients. He wants to have an online store, but doesn't want to have the transactions processed immediately because...

    He wants to sell items from his site from a lot of different vendors, and wants them each to handle their own credit card transactions, so, instead of running the cards when they're ordered, he wants the credit card and order information stored in a database and later retrieved by his vendors to send the transactions through and complete the orders.

    At this point, I'm thinking there's no good answer to that, but I'm open to any suggestions - or, what have other people done in similar situations? I can't think of a scenario that would make the credit card storage and retrieval secure enough without just going immediately through a gateway, but well, ? Thanks in advance.

    For what it's worth, I'm using PHP and MySQL.
    Nate Baldwin
    mindpalette.com

  2. #2
    SitePoint Wizard silver trophy
    beley's Avatar
    Join Date
    May 2001
    Location
    LaGrange, Georgia
    Posts
    6,117
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I personally think that's an aweful setup, I would never trust multiple vendors with my customers credit card numbers. There's bound to be a mixup or intentional problem... which could be a legal nightmare for your client.

    Security has to be your main concern... even the best programmers write code with security holes. You would have to write a system that used encryption and authentication to make sure that the vendors only had access to customer information for the customers that ordered their products...

    And storing cc numbers on a web server is a bad, bad, bad idea. They can all be hacked. It's just a matter of time and resources. Amazon and other big guys have teams of IT guys that try to head off attacks before they happen. They're constantly looking at code and checking logs to be sure no one is even getting close. It's much harder for us small guys to do that kind of thing.

    I would strongly reccommend tyring to find a workaround for your client. Maybe use a third party processor and let him just distribute the money himself? I'm not sure... maybe someone else will have some good suggestions.

  3. #3
    Texan at Heart Corey Bryant's Avatar
    Join Date
    Sep 2003
    Location
    Castle Rock, CO
    Posts
    2,491
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There is one option that you might consider. Do all of these vendors have merchant accounts and are they internet accounts? If the answer is yes, you might consider a multi-store website.

    We actually are working on an ASP version right now. The site owner has "booths" owned by members throughout the US. Where ever the consumer is, taxes & shipping is calculated for each product. And then it does go thru one merchant account right now (hers) and she distributes the money. (Yes this might be consider factoring but her business plan is set up differently to take this into consideration.) If it is a paypal account, the members have their own & the money goes right into their paypal account.

    If you do do something like your client wants, you have to have on the payment page, that this is being charged to abc.com. And then if they order something from xyz.com, that it is being charged to xyz.com. This will not stop a lot of charge backs because your consumer is on abcxyz.com & expecting their CC bill to show as such.

    osCommerce has some contributions for a multi-store - you might check that out to see if you could tweak the code for each vendor, assuming he does not have 500 vendors. That might get a little nerve-wracking.

  4. #4
    Serial Publisher silver trophy aspen's Avatar
    Join Date
    Aug 1999
    Location
    East Lansing, MI USA
    Posts
    12,939
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Its necessary to store credit card numbers somewhere. Authorize.net stores the last 4 digits for me, so I store the first 12. Its a little bit more work, but safer I think.

    Encryption, I'm not sure that'd be that effective. So you tell your shopping cart to encrypt the numbers, the key has to be in the shopping cart script. If someone breaks in they could find that key and then your encryption is meaningless.

    The only thing I could think of would be to use a PGP type setup and then every time you login you'd need to input your private key to decrypt the numbers.
    Chris Beasley - I publish content and ecommerce sites.
    Featured Article: Free Comprehensive SEO Guide
    My Guide to Building a Successful Website
    My Blog|My Webmaster Forums

  5. #5
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks all for the feedback. I don't think the client is very insistent on this anymore. My reply was that I didn't want to be involved in storing credit card inforamtion in any kind of database, so I'll probably come up with some other store scenario that would work for his multiple vendors. I doubt there will be a magic answer since not all his vendors have merchant accounts, but we'll see what we come up with...

    I guess my question was more of an "anybody else run into this and find a good multi-vendor system" than "how do I store credit card info" since that's not even an option.
    Nate Baldwin
    mindpalette.com


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •