Session and SSL

Hi guys,

I am working with credit card details atm and am currently storing them in the browser session over an SSL encrypted connection. They are not being passed around between different pages, they are taken on the last page of my checkout and immediately emailed to our administrator. The session is of course destroyed immediately after.

Is this the sensible way to it? Am I relatively safe from hackers over SSL? I have steered well clear of cookies as I have heard so many horror stories.

Normally I wouldn’t be writing a custom payment module but the CMS I am using did not have what I needed.

My thinking is that there must be an industry standard way to do this, rules that even smaller development teams can follow?

Anyway I will be interested to know your thoughts on this matter.



No! BAD BAD BAD! DO NOT EVER EMAIL credit cards or other private information. In fact you should not be handling credit cards and other private information AT ALL! And yes, there is a whole “industry standard” way and set of rules. See:

But really…you should be using a third-party payment gateway, like Paypal or other.

Well I have to get the information , there’s no other way around. What do you suggest, I can’t magic them through the air?? Also this isn’t even being Beta tested yet, it is just a unit test which is why I am posting on here before I make anything concrete. I am not using a 3rd party payment gateway because it just doesn’t suit the requirements of our business model. It’s a drop-ship model so the details are no good to us and must be sent straight to the distributor.


Is there a way to use pay-pal to relay details to 3rd parties?

Thanks for your help, I appreciate it.