SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 31
  1. #1
    SitePoint Evangelist
    Join Date
    Aug 2010
    Posts
    503
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securely Sending Credit Card Information

    Hi all, I'm building an online store for my work, we don't want any payment to be taken online but rather their details to be sent to us and we'll charge the card on dispatch as many of our products are out of stock or unavailable - we can't have a stock management system, my boss thinks it's a waste of time.

    So basically just looking for some information on the best and most secure way of handling peoples card details.

  2. #2
    SitePoint Guru
    Join Date
    Aug 2009
    Posts
    669
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well rule out email straight away and storing C/Cards in any form of database will just make you a target for hackers. That is unless you have super resources for an IT dept. Amazon do this but look at the resources they have. Somehow I don't think your company does or you wouldn't be here asking us because you'd have a office full of IT comrades to discuss this with.

    In short unless you process the payment in real time there isn't much you can do. Storing peoples card details is a BAD_IDEA and will simply cause you a legal mine field. You'll also then need to make sure you comply with various data protection laws etc.
    I'll do anything to avoid working on my own code

    Are you using: if (isset($_POST['submit'])) ?
    IE has a bug and does not always send the value.

  3. #3
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Best and most secure way? Don't.

    I'm not being a smart-ass either, meeting the legal requirements to hold someone's credit card details are beyond most organisations.

    A quick search for PCI DSS should be enough to scare you (and your boss) out of it.

    If you must, use a third party to manage the payments for you.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  4. #4
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Take a look a SagePay's Token system, it allows you to store the card holders details securely, then (optionally) process the payment at a later date.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  5. #5
    SitePoint Evangelist
    Join Date
    Aug 2010
    Posts
    503
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey chaps, thanks for your message. I know for sure now that there is no way I'll have anything to do with credit card storage, it's just to risky. Anthony, looked at your link, that could well be the direct we decide to head, it makes a lot of sense and would be ideal for what we're needing it for. Is it hard to implement/connect to?

  6. #6
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    I'm sure you'll manage it just fine, it has been around long enough to find help from others. Either way, you know where I am if you need me.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  7. #7
    SitePoint Wizard Wolf_22's Avatar
    Join Date
    Jul 2005
    Posts
    1,710
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry to interrupt you guys, but I have a question for Anthony about this "SagePay's Token System"...

    I assume you've used that thing before, Anthony? If so, does it make the online payment experience more streamlined? In other words, we all know what it's like to pay for something online: we add something to our cart and then suddenly get whisked away to some PayPal login or something from Yahoo, Ebay, etc., where the actual payment processing begins...

    Does that thing you suggest eliminate this inconvenience and provide for the said mom-and-pop website owner to process everything right there and then on their website?

  8. #8
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,099
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    My understanding of the token system is, You make a payment and the card is processed by the gateway provider. If the payment will be re-occurring such as a monthly fee, you can request a token from the gateway provider which will act like a credit card so you can process payments every month using the token.
    What I lack in acuracy I make up for in misteaks

  9. #9
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,196
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    In these situations we recommend Authorize.net CIM for our customers. This allow you to setup a system where you allow your customers to setup credit card and shipment profiles.

    Since Authorize.net takes care of the PCI Compliance aspect, all you need to do is implement their API and your good to go.

    In general since an example with Amazon was provided above, this would allow you to provide a system similar to how they allow you to store credit cards for future purchases.

  10. #10
    SitePoint Evangelist
    Join Date
    Aug 2010
    Posts
    503
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi dude, thanks for the message, very helpful. Further to this thread, I've just discover that my boss does not want to use a Payment Gateway at all, he is not prepared to pay the fees/percentage. We have a card terminal here and he wants us to manually enter their details to incur no extra costs.

    Any ideas what the best way forward for this would be?

  11. #11
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Sagepay is very easy to integrate to, I've done it a few times too.

    coxdabd: I believe your options are
    - Use a payment gateway (20 / mo)
    - Comply with the PCI DSS requirements yourselves
    - Process the cards yourselves without meeting the PCI requirements and face potential fines of 10k+

  12. #12
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    https://www.pcisecuritystandards.org.../pa-dss_v2.pdf

    Page 17 is where the list of requirements start

  13. #13
    SitePoint Evangelist
    Join Date
    Aug 2010
    Posts
    503
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey bud, I'm not keen on the idea at all, we do need to use a Payment Gateway and SagePay seems the best way forward, there is always PayPal but I have never used them before, I think SagePay is slightly more 'classy' from what I've heard. Just hoping I'll be able to integrate it ok, can't be too difficult I guess. Thanks for the reply

  14. #14
    SitePoint Guru
    Join Date
    Aug 2009
    Posts
    669
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by coxdabd View Post
    Hi dude, thanks for the message, very helpful. Further to this thread, I've just discover that my boss does not want to use a Payment Gateway at all, he is not prepared to pay the fees/percentage. We have a card terminal here and he wants us to manually enter their details to incur no extra costs.

    Any ideas what the best way forward for this would be?
    Point him to this thread and then suggest he looks into the legalities?
    I'll do anything to avoid working on my own code

    Are you using: if (isset($_POST['submit'])) ?
    IE has a bug and does not always send the value.

  15. #15
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Wow.

    Do your research and put a concise case forward for using a gateway; what your boss is asking you to do is illegal. I would guess that if your boss doesn't want to pay the rather small (in comparison) charges for the gateway, they will not be willing to invest in the systems required to become PCI compliant.

    It's a tough one, but I'd certainly be wary about your personal liability in this endeavour.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  16. #16
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you've already got your own merchant account, then the gateway fees are not a lot, WorldPay (whom I'd pick over SagePay - stream of issues since they started out as Protx years ago) for example is 20 per month for something like 1000 transactions off the top of my head. So that's 2p per transaction. You can do a pre-auth for the full amount, then just authorise the amount you'll be charging (once you know what is in stock) and release the rest.

    As an aside, not having real-time stock levels or reserved stock for the website is going to create a really bad customer experience. It's certainly no way to drive repeat custom.

    Thanks,
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  17. #17
    Keep Moving Forward gold trophysilver trophybronze trophy
    Shaun(OfTheDead)'s Avatar
    Join Date
    Nov 2005
    Location
    Trinidad
    Posts
    3,746
    Mentioned
    45 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider
    Sagepay is very easy to integrate to, I've done it a few times too.
    Could you do me a huge favour and PM me one or two of the sites you've integrated it on?

    I'd like to see how it fits for myself, because processing payment is a big challenge for me too.

    Trying to fill the unforgiving minute
    with sixty seconds' worth of distance run.

    Update on Sitepoint's Migration to Discourse

  18. #18
    SitePoint Wizard
    Join Date
    Apr 2007
    Posts
    1,399
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    It sounds like your boss needs to be "educated" why it's a good idea to have a stock management system and to use third party payment system.

    Clearly, he doesn't see this from IT point of view and you need to convince him of that. Plus, he's already using a CC for his work... so, he's already paying the percentage from that provider. I'm sure online one is slightly more expensive but it's not to a point he should care. Maybe the charge is from 2% to 3%.

    You should ask more clarification question like
    - why do you think management system is not needed? Have you used other ones? what didn't u like or hate?
    - By using trusted 3rd party payment system, he'll have better chance of getting new customers. Tell him, if your DB is ever hacked then your boss is liable for the damage. It has been done before w/ many major store. He might be dealing w/ FBI if it does happen. This will lose integrity of your online store as well.

    I know it's tough to educate your boss or client but you must do this!!!!! If everything goes to #$@%, guess who'll be the blame?

  19. #19
    SitePoint Wizard
    Join Date
    Apr 2007
    Posts
    1,399
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AnthonySterling View Post
    Wow.

    Do your research and put a concise case forward for using a gateway; what your boss is asking you to do is illegal. I would guess that if your boss doesn't want to pay the rather small (in comparison) charges for the gateway, they will not be willing to invest in the systems required to become PCI compliant.

    It's a tough one, but I'd certainly be wary about your personal liability in this endeavour.
    I don't think it's illegal. I've had many mail payments that has a CC form with a reply address. But, you're right about second half... he's being a cheap @ss.

  20. #20
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sg707 View Post
    I don't think it's illegal. I've had many mail payments that has a CC form with a reply address. But, you're right about second half... he's being a cheap @ss.
    It is illegal if you're not PCI compliant.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  21. #21
    SitePoint Wizard Wolf_22's Avatar
    Join Date
    Jul 2005
    Posts
    1,710
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is illegal if you're not PCI compliant.
    Yep, it is. My employer told me all about it... The computer that stores the numbers has about 20 video cameras all pointed at it and it's all due to the PCI requirements (which is very expensive, by the way).

  22. #22
    SitePoint Wizard
    Join Date
    Apr 2007
    Posts
    1,399
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AnthonySterling View Post
    It is illegal if you're not PCI compliant.
    That's very interesting! Also learned new a acronim

  23. #23
    SitePoint Wizard
    Join Date
    Dec 2003
    Location
    USA
    Posts
    2,582
    Mentioned
    29 Post(s)
    Tagged
    0 Thread(s)
    My personal opinion: don't (like many others).

    It's best to use a third-party solution. This way, you get the benefits of stored credit cards, but none of the liability. It costs, but it's definitely worth it.

    One hacked computer storing credit card numbers is enough to wipe even a medium-sized company off the map, because of all the legal fees, law suits, etc.

  24. #24
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,026
    Mentioned
    64 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by coxdabd View Post
    Hi dude, thanks for the message, very helpful. Further to this thread, I've just discover that my boss does not want to use a Payment Gateway at all, he is not prepared to pay the fees/percentage. We have a card terminal here and he wants us to manually enter their details to incur no extra costs.

    Any ideas what the best way forward for this would be?
    Find another boss as soon as possible. My experience with people with that sort of attitude is the moment you try to educate them as to the error of their approach they get angry and or defensive. It just isn't worth the stress of dealing with them. Find another job - cause I'm pretty certain better is out there.

    But to underline the point everyone else is pointing to - if you are caught storing credit card numbers in a non-authenticated system the fine is $500,000 PER NUMBER.

  25. #25
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,809
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by sg707 View Post
    I don't think it's illegal. I've had many mail payments that has a CC form with a reply address.
    For payments through regular mail there is no issue until you get to where you want to enter it into a computer - the computer you enter it into would need to be PCI compliant.

    For payments by email every single computer the email passes through would need to be PCI compliant - and since that would include millions of different computers around the world and since being PCI compliant would prevent the computer being used as a mail server and so unable to receive the email in the first place - emailing of credit card numbers is always illegal.

    The cheap solution is to use a third party service for handling credit cards. The middle of the range solution as far as cost is concerned is to become PCI compliant. The expensive option is to not do either of the others and end up with a humongous fine.

    If you process credit card numbers without being PCI compliant then it is just about certain that others will be able to obtain the numbers at some point. Its hard enough keeping them safe when the computer they're on is PCI compliant.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •