SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict Phil-man's Avatar
    Join Date
    Nov 2000
    Posts
    291
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi:

    I couldn't get any helpful answers from PGP/McAfee, so here I am...

    I'm building a small, low-traffic e-commerce site for a client. We're doing a simple shopping cart application using PHP and MySQL on a Unix server. My client already has a merchant account (they're a "brick and mortar" retail store), and they just want to manually process credit card transacations, at least until/unless they get a lot of volume, which we don't expect to happen. In other words, as far as I can tell, everything is in place, including a secure server, except how to securely e-mail (or otherwise transmit) the order information from the web server to my client's PC.

    Everything seems to point to PGP for accomplishing this, although I'm open to other inexpensive (very inexpensive) solutions. So here are my questions:

    1) What PGP software do I need to accomplish this basic task? Personal Privacy?
    2) Do I have to buy two identical copies of the software, one to install on the web server and one to install on my client's PC? Or does one software package handle both ends? Or are there two separate software packages for installation on the web server and on the client's PC?
    3) I assume PGP will run on a Unix server, correct?
    4) Any idea what Personal Privacy v.6.5.8 has that v.6.5.3 doesn't have (assuming Personal Privacy is the right software?

    I would greatly appreciate some expert input on this. Thanks!

  2. #2
    Payment Acceptance Expert jconley2's Avatar
    Join Date
    Aug 2000
    Location
    Charleston, SC
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Phil,

    The secure server will encrypt the order contents till it arrives at your client's PC. I'm assuming you do have a secure certificate from either VeriSign or Thawte, correct? If so, that's all you need. If you don't have your own a secure certificate then between the two companies I listed above I'd personally choose VeriSign (even though they do now own Thawte). They seem to be much more helpful. But from your post, it seems you already have a secure way to transact orders, if so that's all you need.

    PGPMail is good for sending information you want encrypted from your computer to another persons computer. Whereas a secure certificate secures from the web sever to the order form recipients e-mail inbox (or in other words...their computer).

    Also, did you purchase the secure certificate for the clients domain or are you using what the web host is offering? Reason I'm asking is because if you're using your web hosts secure certificate on the clients domain some peoples broswers will get a warning message that will scare away potential customers. I don't exactly remember the message, something to the effect of "This certificate doesn't match, and illegal practices may be undergoing." Something like that, but I do know it'll scare away people in a flash. Your best bet is to get your own secure certificate from VeriSign (http://www.verisign.com).

    If you'd rather not, ask their web host if they can give you a page to place the order page on through the web hosts domain. Something like: https://www.hostdomain.com/user-id/order.htm They might be able to do that for you in which case you can place your secure order form and confirmation page on the hosts domain and utilize their secure certificate without the fear of people getting warning messages.

    Oh yes, don't forget to make the confirmation page secure also, or the customer will get an error message saying the page they are about to encounter is not secure when clicking on the "submit their order" button.

    You mentioned that the client wants to do the credit card transactions manually through their retail merchant account. Be aware that Visa/MasterCard have started requiring that merchants indicate which orders were transacted online and which are retail (face-to-face). They are referred to as "E-commerce Indicators". Failure to indicate which are which can result in some heavy fines if Visa/MasterCard catch wind. It would be in your clients best interest to contact his/her merchant account provider (where they obtained their merchant account) for more information on the correct way of going about this. You will want to check to make sure their swipe terminals are up-to-date with the latest programming, etc. Their merchant account provider can fill you in about this more.

    I hope this information will help you in some way or fashion. If you have any other questions Phil just let me know!

    Warmest Regards,
    Jim Conley II
    CEO/Founder - MerchantSeek
    Search FREE for a Merchant Account Provider based on your business needs and budget. We're your one stop information source on payment acceptance. Visit us at http://www.merchantseek.com
    Last edited by jconley2; Feb 21, 2001 at 13:33.

  3. #3
    SitePoint Addict Phil-man's Avatar
    Join Date
    Nov 2000
    Posts
    291
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm... everything I've ever read about e-commerce and using a secure server states that the secure server only ensures security between the person placing the order and the web server, and that additional security is needed to securely transmit the order information via e-mail from the web server to the vendor's computer.

    That, of course, is contrary to what you're saying, unless I'm misunderstanding your post. Or unless you're referring to the vendor retrieving the order info from the web server in some other manner besides having it e-mailed.


  4. #4
    Payment Acceptance Expert jconley2's Avatar
    Join Date
    Aug 2000
    Location
    Charleston, SC
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hummm...I went around and did some checking myself, you just might be right! I know it protects between browser and server, but nothing said about e-mail protection between server and client PC. I'm not up to speed on how easy it is to intercept e-mails once they've left the server. In this case I wonder how many others think the SSL protection on their server protects the e-mail from the server to the recipients computer.

    Someone's elses expertise on PGPMail will then have to respond to this one. This one's over my head, but I'll be looking into it for my own personal information.

    Warmest Regards,
    Jim Conley II
    CEO/Founder - MerchantSeek
    Search FREE for a Merchant Account Provider based on your business needs and budget. We're your one stop information source on payment acceptance. Visit us at http://www.merchantseek.com

  5. #5
    ********* Addict jaiem's Avatar
    Join Date
    Dec 2000
    Location
    New York, USA
    Posts
    1,006
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've never known (or read about) anyone to have their contact or CC info stolen either during a
    secure order session (that is when connected to a secure order form) or from an intercepted email
    containing the info. I suppose it is a possiblity. But in all the cases I've heard about when someone had
    their contact and/or CC info stolen it was from hackers getting into order files/databases stored on the
    web site's server.

    With this in mind, while PGP encryption won't hurt you may be making things more complicated for yourself
    and your client. As long as the order form is secure (or at least the part where they enter their CC
    info) and no billing info is stored online I think orders are pretty safe.
    Ocean View Host - Affordable web hosting plans for any business.
    Modern Technology, Old Fashioned Value & Service!
    U.S. Merchant Services - Reliable merchant account services for all business!
    Quality People Providing A Quality Service!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •