homepage Welcome to WebmasterWorld Guest from 54.196.199.46
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
Transparent Redirect -- downsides?
Tonearm




msg:4555110
 6:34 am on Mar 15, 2013 (gmt 0)

Is anyone using a "Transparent Redirect" method of processing credit cards? From what I understand, this means posting the credit card form on your website to the processor and them transparently redirecting the user back to your site. This means you don't have to deal with PCI Compliance at all. Is there any downside to this?

 

lorax




msg:4555311
 2:59 pm on Mar 15, 2013 (gmt 0)

If I understand you correctly, checkout is handled as a SaaS by a provider. I use this method for a handful of customers and it makes a LOT of sense to me for organizations with small budgets and want to save the headaches.

No downsides as long as you're transparent with the customer IMHO.

jwolthuis




msg:4555404
 6:30 pm on Mar 15, 2013 (gmt 0)

This means you don't have to deal with PCI Compliance at all.


Not true; You still need to follow the PA-DSS guidelines.

For example, you can't create a form that collects payment info, stash it in your database, then post the info on behalf of the shopper.

Also, the guidelines require that you test your code against vulnerabilities. For example, can *I* post a redirect to your site, saying that a payment was successful? Do you log fraudulent attempts like this?

If you're storing payment authorization codes (handy if you ever need to issue a refund), are they stored securely in a separate database (not on your web server), behind a firewall?

Tonearm




msg:4555430
 7:11 pm on Mar 15, 2013 (gmt 0)

If I understand you correctly, checkout is handled as a SaaS by a provider.

Actually no, you handle checkout yourself, but your checkout form posts directly to the processor. Here's a better description:

https://www.braintreepayments.com/developers/api-overview

Not true; You still need to follow the PA-DSS guidelines.

You're right, I should have said PCI Compliance is much simpler and easier with transparent redirect.

If you're storing payment authorization codes (handy if you ever need to issue a refund), are they stored securely in a separate database (not on your web server), behind a firewall?

Is it required to store the authorization codes on a separate machine from the web server?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved