Forum Moderators: buckworks
Is it okay to save it as a plain session variable (I'm using PHP)? Should I encrypt it before putting it in the session? (I'm on a shared host but I have my own folder for sessions.) According to the PIC credit card security standards you're not supposed to store the cvv info, but that seems all but impossible with a two-step checkout process.
Am I just being paranoid? How do you deal with that limbo period between getting the card info and processing payment?
Not a good idea at all especially being on a shared server is all that more a problem
your checkout is flawed and needs a professional to help get it correct or you heading for big time problems with this setup.
I'm a one-man show and can't afford to hire a professional to review my checkout flow. There are hundreds of shopping cart systems out there. I scanned the code for a few of the major ones and they all seemed to have this same basic flaw.
Is this issue just something that no one's talking about?
Are you using an online processor or getting the information CC number from the cart then running the card from a machine at your home?
I as well have an order confirm button but don't store the information it is a step in the checkout.
The cc number is then sent to the processor and I get a confirmation to go to the processor to run the approved charge.
The credit card is stored at the processing company as US laws requires this to be on file for a year or 2. No cvv numbers can ever be stored anywhere.
This gives me time before I process the order to check the card out for fraud.
If your are running the numbers from your home then you have to really be careful to have all this information stored per law. so if you have a chargeback 3 months latter you can pull the information assoicated with this order and card.
Another question is this a home made cart or one from the host your with?
The customer selects a product and is taken to a secure payment page to fill in their payment information (credit card number, cvv, etc). They click continue and are taken to an order confirmation page. Then they click checkout on the confirmation page, at which point I send the payment information to PayPal and show a page for either success or failure.
Payment Info Page ---> Confirmation Page ---> Success/Failure page
--------------------¦---saved card info ---¦
The order confirmation page has to retain the credit card details so after the customer clicks checkout there I can process the payment. I figured I can either put them in a session or in a database until they click checkout after which I can erase them. Or I can put them as hidden fields on the confirmation page.
The only way to get around storing the card details, even if only briefly, would be to process the card right after it's submitted and skip the order confirmation altogether. Is there another way?
Nothing against your coding but I am sure it can be easily hacked as carts are the toughest part of the ecommerce process.
Suggestions look into maybe buying a cart, check with your host on a cart available from them, or set up something were the orders are sent to paypal for processing.
Google has just come out with a cart available from them I took a look at it was pretty nice espically for small clients.
I am trying to keep you from having a world of trouble down the road.
[groups.google.com...]
Look into these possibilites and see were you can go.
Here's our process: 1) add to cart, 2) enter zip code and country, 3) check stock availability and display those options, 4) query shipper for shipping based on total items, 5) display summary that includes input for credit card info. From there it goes right to the processor, no storing of CC data.
All you really need to do, I think, is move your credit card charge to the last page, that's your review order.
The "check stock" step gets rave reviews from our customers. It allows them to select from 1) send what you have and the rest when it comes in at no additional shipping, 2) hold the entire order until all items come in, or 3) remove out of stock items from my order. This is an optional step but it's critical to have it BEFORE calculating shipping for obvious reasons. :-)
Also, I would suggest you seriously look into IPN if you're using payPal. IPN is method that connects back with your website AFTER the transaction is successful. That is, once the payment is complete, it reports back to your website, which you would use to update your database as "transaction complete" and know you can process the order. Most are instant, but in the case of e-Checks, can come days later. Beats doing it manually.
