Posting credit card information through email [webmasterworld.com]
There are a few options. They could just get some 3rd party to process the cards such as authorize.net. They could have a secure server and do the encrypting in a db or they can do PGP. It really all depends on what they presently have available to them. Brett started another interesting thread dealing with the issue of secure transactions not long ago as well. Deals with it from a high level but definitely worth a read.
Secure - Insecure and the Sleaze Factor [webmasterworld.com]
They should ask their credit card clearing agency (or whatever it's called) who handles their merchant account. They clearly take creidt cards, so they must have someone who is processing them. I was helping a tiny non-profit bookstore that has a small budget and mostly volunteer staff. I think it was something like $19.95/month to add web processing from their Visa merchant account issuer (Bank of America).
Disadvantages
- $19.95 / month
Advantages
- security: no CC info is ever recorded on the store or host servers, it's all handled by BoA who should know something about secure transactions
- liability: the store is never responsible for securing the information, so there is no potential liability, in fact less than if they were handling orders in-store from walk-in customers.
- processing: no need to wait for someone to read the email and manually do the transaction. You have a processing number and some other info in case you need to refund money or anything like that.
- validation: fast and thorough
Of course, the store in question decided they didn't want to change from their system which is only one step better than the one you describe. My feeling is that if you're really trying to do e-commerce (rather than just make a few sales on the side), $19.95 for real security should be a deal.
Since they already have a merchant account somewhere, they ought to be able to set up something like this.
Cheers,
Tom
