SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Thread: Shopping Cart

  1. #1
    SitePoint Zealot
    Join Date
    Jan 2007
    Posts
    191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Shopping Cart

    I'm in the process of creating a shopping cart that is using the PayPal API. My question is this. When the user enters their credit card, I take them to a Review Order page where they have one last chance to backout or change something. I now have their credit card, do I 1. store it in a session until the user completes the transaction, or 2. place it in a hidden field on the order summary page, then get the POST data again so I'm not storing the credit card anywhere, or 3. encrypt it in the session somehow, or 4. some other way?

    Thanks,

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I'm going to vote for #2 -- the hidden field. The reality is that if you throw it in a session, encrypted or otherwise, you're storing it as a file on your server, and I don't believe the PCI data security standard permits storage of credit card data on any internet-facing system.

    The hidden field presents no security concerns I can think of -- it's sent back with the same SSL encryption used when it was first sent by the user, and they typed it in clear text to send it to you so its clear text presence in the HTML is no less secured. You can encrypt the field if you wish as long as you use a decryptable algorithm and not a hash or something else 1-way.

  3. #3
    SitePoint Zealot
    Join Date
    Jan 2007
    Posts
    191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Dan. I'm on your side. This is how I want to do it, and you are awesome for addressing my concern of passing the cc back to the client after they submitted it to me. The only way I could justify the session way is if the timeout for the session wasn't very long, but hey, I don't want to have any trace of a cc on my system at all.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •