SitePoint Sponsor

User Tag List

Results 1 to 9 of 9

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    May 2008
    Location
    IA
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security for Credit Card submission via Form

    I have a client that received rental information via a form on their web site. It gets all the basic information and credit card to reserve the reservation on. What is the best and easiest way to secure the information?

    The client is extremely non-technical, anything beyond receiving an email is too much for her. She recently purchased an SSL through her host, Bluehost, and now wants the reservation and contact forms to be secure through it.

    The past hour of reading on here and elsewhere mainly recommends using a PHP database, PayPal, or some other shopping cart options. Like a lot of companies though, this one is struggling and can't spend more funds on this.

    Please give me suggestions, or how to integrate PayPal into the existing form would be great. Thanks.

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Aug 2003
    Location
    Southern California
    Posts
    4,686
    Mentioned
    19 Post(s)
    Tagged
    0 Thread(s)
    vmtech,

    It sounds like you need to customize an order process with a very simple cart that has a nice checkout process you can adjust. Depending on what's being booked (i.e. hotel rooms vs rental cars) there may be some scripts that come a step closer.

    What's essential here is that you understand you can not store credit card numbers (you aren't going to become PCI level 1 compliant for a customer worried about the cost of her cart), you can not email them, you can not put them in a database. Once they hit your payment provider that should be the last you see of them and any authorization of the charge should happen via confirming the authorization.

    PayPal integration for those that want to forgo traditional merchant accounts, or just offer an alternative, is very common place and of course easier for security as the transaction happens off-site (this can however impact conversion rates). Almost all shopping carts support paypal and paypal has it's own simple ordering script which may suffice for a reservation -- the site would pass some critical details like the length of the visit, the property, whatever, and the user would do the rest on paypal's payment form.
    - Ted S

  3. #3
    SitePoint Member
    Join Date
    Mar 2011
    Location
    Austin, TX
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think you need to go even simpler - think Wufoo for example. Hosted form, hosted solution. No matter what they have on their own server, if they have no technical skills if it gets hacked they are SOL.

    Bluehost also offers iPayment (its on their cPanel BTW), which allows clients to accept payments online without needing to build out any code. Heck, you can even get a shopsite cart through your BlueHost account.

  4. #4
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A credit card will not be denied if the address is entered wrong, it is up to the merchant to decide what to do if the address only matches partially or not at all. You can deny the sale, or require the buyer submit additional information, or give them the opportunity to correct the address information, before processor the transaction.

  5. #5
    SitePoint Wizard silver trophy
    Join Date
    Aug 2003
    Location
    Southern California
    Posts
    4,686
    Mentioned
    19 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by samdean View Post
    A credit card will not be denied if the address is entered wrong, it is up to the merchant to decide what to do if the address only matches partially or not at all. You can deny the sale, or require the buyer submit additional information, or give them the opportunity to correct the address information, before processor the transaction.
    How does that relate to the topic at hand? Are you suggesting they need a closer look at information before processing orders?
    - Ted S

  6. #6
    SitePoint Evangelist Fergal's Avatar
    Join Date
    Nov 2003
    Location
    Ireland
    Posts
    500
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Perhaps 2Checkout.com would be worth a look.
    Fergal Crawley (Previous Username: Proudirish.com)
    Business Advice Forum - Webmaster and Business Forum
    < Get a free link & win $5,000
    Forum Coin New World Currency

  7. #7
    SitePoint Member
    Join Date
    Dec 2008
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by vmtech View Post
    I have a client that received rental information via a form on their web site. It gets all the basic information and credit card to reserve the reservation on. What is the best and easiest way to secure the information?

    The client is extremely non-technical, anything beyond receiving an email is too much for her. ....
    .
    Given the client is clueless, and has no money one possibility might be to simply store the data in a flat file after it's HTTPS collected, and write PHP code to encrypt/decrypt the flat files (with the right extra encryption module loaded in - your hoster may have it). An alternative to Paypal or the other DIY payment systems mentioned.

    I don't understand why people go into business but can't face spending a few hundred dollars on things like a decent payment or ordering system - even the free stuff like oscommerce is great for basic shopping. If she can't bear to spend a little on a site, I'd advise her get out of the online component of her business for the time being and focus just on the 'real-world' side of things.

  8. #8
    SitePoint Wizard silver trophy
    Join Date
    Aug 2003
    Location
    Southern California
    Posts
    4,686
    Mentioned
    19 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by p2409 View Post
    Given the client is clueless, and has no money one possibility might be to simply store the data in a flat file after it's HTTPS collected, and write PHP code to encrypt/decrypt the flat files (with the right extra encryption module loaded in - your hoster may have it). An alternative to Paypal or the other DIY payment systems mentioned.

    I don't understand why people go into business but can't face spending a few hundred dollars on things like a decent payment or ordering system - even the free stuff like oscommerce is great for basic shopping. If she can't bear to spend a little on a site, I'd advise her get out of the online component of her business for the time being and focus just on the 'real-world' side of things.
    Credit Card numbers can not be stored and transfered with simple encryption. To store numbers you would have to go through a PCI compliance process and review -- far more expensive than integrating a third party.

    Even many companies with a high level PCI complaince don't store numbers. It's risking your business whether it's from hackers or just a rogue employee.
    - Ted S

  9. #9
    Life is short. Be happy today! silver trophybronze trophy Sagewing's Avatar
    Join Date
    Apr 2003
    Location
    Denver, Phang-Nga, Thailand
    Posts
    4,379
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by vmtech View Post
    Like a lot of companies though, this one is struggling and can't spend more funds on this.
    Quote Originally Posted by p2409 View Post
    Given the client is clueless, and has no money...
    This is the biggest red flag warning I've seen in a while. I would make a recommendation for a very established, safe vendor who can handle their business entirely (i.e. PayPal type of thing) and then stay as far away from this as you possibly can.
    The fewer our wants, the nearer we resemble the gods. Socrates

    SAGEWING LLC - QUALITY WEB AND MOBILE APPS. PREMIUM OUTSOURCING SERVICES.
    Twitter | LinkedIn | Facebook | Google+


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •