Paypal and 3ds security


I did a custom integration of paypal’s website payments pro UK a couple of years ago, all works fine.

It’s secure (to the best of my knowledge!) because I collect all the customer’s credit card/billing information on one form, and as soon as they press “submit”, the details are sent to paypal (with SSL) and the transaction is done…I never see or store credit card details.

But now that paypal requires 3D-Secure for Maestro payments, I need to add the following steps (it’s Cardinal Centinel).

It’s the same as above, but when the customer clicks “submit”, the credit card/billing information needs to be sent to 3D-Secure servers. Then via a couple of HTTP POST’s (where customer’s are redirected to verify their details with their bank), I’m sent back to my own payment finalisation stage (with some extra data sent from 3d-s that I need to send to paypal).

But, I still need the credit card and billing information I collected from my original form to be sent to paypal.

So the question is, how do I securely get the credit card info from my original form to this final processing page?

I could store it in a database temporarily (encrypted), then retreive it for this final step (then delete it), but I’ve read things that suggest this isn’t ideal (especially since if a hacker obtains access to the server+files, he’ll know my encryption password). And I don’t like the idea of this, because I’m actually “storing” credit card details (albeit for a few minutes).

But how about passing the creditcard+billing info via hidden post variables between the pages (it’s all done over SSL)?

(Then there’s storing the whole lot in session variables, but that’s probably not a good idea!)

The centinel examples are pretty straightforward, but in their examples, they don’t pass the credit card details to the last stage (but I guess it’s not their responsibility to show you that part).

Any help would be appreciated!