Accepting payments is a serious business. Anyone not familiar with PCI rules should take the time to check out:
https://www.pcisecuritystandards.org/merchants/ (general merchant info)
https://www.pcisecuritystandards.org/smb/ (geared to inform small businesses)
There are mainly three ways to process payments:
1. Payment collection is taken care of by 3rd party, (ex. Paypal, Authorize.Net, FirstData, etc) With this method, NO credit card information is accepted by your site. This is the most secure (ie. LEAST LIABILITY for you). Companies given as examples, this is their business, they take most of the liability, they know what rules/guidelines are in place, they are up to date on things. Let them deal with it. Save the headaches! (and yes, you CAN do it an keep it from looking "amateurish", I'm dealing with this now.) NOTE. SSL is NOT needed with this route, but depending on how you are handling checkout, you may want it. (ex. we have the Authorize.Net checkout showing in a lightbox on our site, so we like our final checkout to show secured to the customers).
2. You use SSL, you have a checkout page on your site where you collect their payment data. Behind the scenes your server sends that off to the payment processor and gets a result (either accepted or declined, with other data too), then you site completes the order. With this route, you need to be aware of security for your site, not only physical, but electronically. You have now become the winkest link on Identity theft issues other than what the customer may do.
3. You collect the credit card information, you either store it, or transmit it to be manually processed. DO NOT DARE go this route until you are FULLY aware of the information at the links I gave above. Just to much to go over.
How not to do it: Take the credit card information on a non-secure site, then submit that form via non secure link to a third party form processing company, that both e-mails RAW text the information as well as saves a copy (again raw text) to a database. This is like the trifecta of Payment processing failure. I actually saw a company doing this! I told them unless the payment part was taken off line immediately, I wouldn't do work for them.
A lot of people don't think about what the worse could happen is. Ask a lawyer. Someone determines that their credit card information was compromised by you, while the credit card companies are getting way nice at refunding money to their card holders, people value their time, you can get sued for loss of time, their cost to hire lawyer, their paying for a service for identy theft monitoring for a year.
Still not seem bad? Oh, I payed $5000 to that person.... What if you have 1000 customers. Word gets out, you can be liable for all of them to hae identity theft monitoring, audits of their purchases, and lets face it, there are going to be those people who will try to claim stuff they bought, they didn't. Not to mention, on top of all this, if you merchant account provider finds out... Time to switch providers and/or change business names...
Overkill? exaggeration? Nope, real live examples of what I have seen happen to companies doing things wrong (other than that figure of $5000, that I don't know how much got paid, just know they had to pay all customers that learned of the security breach.)
-Greg