Secure transmission of CC data

Forum Moderators: open

Message Too Old, No Replies

Secure transmission of CC data

rhyno

3:47 pm on Jan 28, 2003 (gmt 0)

Hi,

I want to add e-commerce to our existing site. The site is entirely ASP driven on an Access dB. I want to ease into things by putting up a "one-page, one product" site (our most popular product). And I want to take credit card orders.

I don't need to process them online -- for now I just want a secure way to transmit the data. The info will be stored in a database (outside of the web directory structure of course), and then we will manually check the database in-house -- no web access -- and process the order manually on our Tranz machine, for now.

Is this simply a matter of obtaining an SSL cert, installing it on the server, and loading the asp form that saves to the dB from an httpS:// URL? Is GeoTrust a good cert? Seems to be the most affordable of the "brand name" certs... I want our customers to be able see the "lock icon" and give them some peace of mind about their transaction.

Thanks!

chameleon

4:32 pm on Jan 28, 2003 (gmt 0)

Yeah, that's the basics of it. A few other tips I will give you, however:

The cheapest certificates from GeoTrust may give errors to some viewers who don't have the latest browsers. They're a relative new-comer to the industry, and older browsers don't recognize their authority. Those users will get a warning message that might scare them away. See their web site for more information.

For that reason, you may want to look elsewhere. Thawte is a good choice IMHO.

ABSOLUTELY store the credit card information in an encrypted format. It doesn't matter that your db is outside of your web root. If the server is accessible by the Internet, it is potentially vulnerable. Storing CC info in plain text in an Access database is about as un-secure as it gets. At least encrypt it when it's stored. You can unencrypt when you download it to your local machine.

Good luck!