Welcome to WebmasterWorld Guest from 34.204.191.31

Forum Moderators: phranque

Message Too Old, No Replies

Building a Credit Card Form

     
1:08 am on Nov 17, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 7, 2004
posts:89
votes: 0


Hi,

I'm in the process of building a credit card authority form and I'm hoping to get a bit of advice.

I've bought my SSL certificate and I have the form set up and ready to run. I'm just wondering how I should recive the information from the form.

I was thinking of having the form email it to me but that doesn't seem very secure to me. Should the information go straight into a database?

Any thoughts are appreciated.

-Harvs-

3:08 am on Nov 17, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Apr 27, 2003
posts:236
votes: 0


No, you shouldn't be emailing it, you should be getting your approval/decline from your processor and inserting the info that is returned back by the processor (transaction numbers etc, not the actual credit card info) to your database. Sending the payment information via email will likely get your merchant account stripped if your provider catches wind of that.

If you do not know how to program, just get someone to do it for you. The liability isn't worth it IMHO if you do not know what you are doing. Either that, or get some premade thingy that you can just plug your info in.

3:55 am on Nov 17, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 7, 2004
posts:89
votes: 0


I don't want the form to actually process the payments. I just want the credit card numbers to come to me so I can process them by phone.

I was having a bit of a look at PGP, would it be a good idea to have the email encrypted or is this still not secure enough?

I do program using PHP so writing code isn't really an issue.

2:06 am on Nov 18, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Apr 27, 2003
posts:236
votes: 0


If you are sending it to an email address, you must encrypt it. Again, make sure that your credit card processor is ok with this. I dont think they will let you email it to be honest, but I certainly could be wrong.

Most processors require that your server/website is compliant with the associations regulations (I cant remember the acrynomn for the compliance, I want to say CRISP but that that doesn't sound right).

Any particular reason why you want to call in the transactions? Seems like you will be doing a lot more work to process than if you just processed them in real-time?

2:36 am on Nov 18, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 30, 2003
posts:77
votes: 0


Encrypt the card info with PGP or the open source version GnuPG before sending the email. Then unencrypt the info on the client's computer.

Some bank cards allow this. Some don't.