|handling transactions w/o storing the CC |
| 6:20 pm on Dec 31, 2009 (gmt 0)|
Some sites like amazon/apple itunes seem to store your credit card #, thus allowing you to make purchases w/o having to re-enter your CC information.
Are they indeed storing the CC number and security code, or are they doing something else?
I remember reading some members here saying that they don't store CC numbers as you don't need to, from that I assumed when the user checks out and the data is sent to the bank they use some return code from the bank to perform the charge etc. Can someone explain this to me, and is it the same as what amazon/apple is doing?
| 9:09 pm on Dec 31, 2009 (gmt 0)|
If they are allowing storage of the CC, they are obviously storing it somewhere. This means they have to be PCI compliant to do so, and are accepting the responsibilities in the event of any breach.
|when the user checks out and the data is sent to the bank they use some return code from the bank to perform the charge etc. |
1. Install valid cert on your site. No processor I know of will accept a silent post (below) from a non-SSL location.
2. Set up online merchant account with bank.
3. Set up account with gateway. It is the gateway you actually connect to, and the gateway is what actually "talks" to the bank. Sometimes these are separate, for example, your bank and Authorize.net gateway. Sometimes they are combined, for example, FirstData/Linkpoint (now Elavon.)
4. Via silent post, you collect the input data and post the data to the gateway. Gateway connects with bank, auth's the transaction (or not,) and returns a response code and other data. Depending on the resonse, you update your database and return a response to the user. The impression is that they've never left your site.
How to silent post? Look into curl, or for PHP, pcntl_curl() if the extensions are installed on your server.
Worry not, all gateways have sample code and test servers to get you set up.