Hi. I'm preparing to begin programming several forms, four of which will include the transmission of credit card info, and one or two others that will be user data only, no transactions. Planning to program everything using PHP and MySQL database. (The cc transactions won't involve a shopping cart; they will only be forms, such as a membership form, a registration form, a contribution form, etc.).

I have created several content management systems using PHP/MySQL, but this is my first foray into programming secure forms, and forms involving credit card transactions, so I'm hoping to get some feedback that will help me get it right the first time so that I don't end up making $3 per hour on this gig.

Unless I'm mistaken, the client has the option of:
a.) setting up a security certificate/secure server and then manually retrieving and processing the submitted data, to include manually processing the credit card info.

or

b.) setting up a security certificate AND a merchant account (the latter of which also includes a payment gateway, if done through the client's current host), which would allow for real-time credit card processing.

This leads me to my first question:
If, theoretically, I was programming the forms without using a secure-certificate (which I'm not going to do, but it sets up my question), I would program into the PHP forms MySQL queries (for both the data submission and data retrieval) using the localhost, the client's current login and password, and the respective tables and MySQL DB that I set up on the client's current server. How, if at all, would this change once the secure-server arrangement is in place?

Second question:
If the client opts for real-time credit-card processing, the user submits the CC info, submits it, it passes through the payment gateway and is either approved or rejected. Is the user info also stored on the secure server? And, assuming that it is, when the client retrieves that user data, how do they know if the CC was approved? (Do I just program the form to reject all the data unless the CC is approved?)

Last question (for now):
I'm assuming the user would need to either log into their control panel, click on MySQL Database and run their own queries there to retrieve the submitted credit-card and/or other user-submitted data, or else I'd need to program some web-based retrieval-tool pages for them. Is this the case, or is there a better way for the client to handle retrieval? For example, does the merchant account report all of the submitted data to them?

Any other insight or suggestions that you can offer would be greatly appreciated.

Thanks in advance.

-Jon