Gather credit card info
Moderator: General Moderators
Gather credit card info
Hi,
I need to setup a form used for people to signup for an event and have the option to input their credit card details for payment.
The people dont want to use a third party for the transaction as its a one off event.
How can it be set up so its secure for using mail() to send the data?
Or how secure is it to place the data into a mysql database?
How does one go about this to make it secure?
Cheers
I need to setup a form used for people to signup for an event and have the option to input their credit card details for payment.
The people dont want to use a third party for the transaction as its a one off event.
How can it be set up so its secure for using mail() to send the data?
Or how secure is it to place the data into a mysql database?
How does one go about this to make it secure?
Cheers
I would say, you don't want that on your own shoulders unless it is really really necessary. I'm guessing a lawsuit would be applicable if your server would be compromised. ALSO, if you intend to get codes for cards etc from your website I most strongly encurage you to make sure you are using HTTPS (SSL) for it. (If you mean storing codes for their cards etc in a database or sending over mail)
Please elaborate a little more on what you mean (If I misunderstood you).
Please elaborate a little more on what you mean (If I misunderstood you).
I would strongly urge you to educate your client on internet security. handling cc is not a simple feat and (no slight on your skills) but if you are asking about security issues relating to this then you are probably not up to the task. I would never attempt to do such a thing and I feel I'm a pretty good php'er.
You could always get them to set up a paypal account of the like and use https as suggested that would eliminate the whole cc issue.
Otherwise I would encourage you to see check out some 3rd party processors and see what kind of you deal you can get as a possible reseller of their system and pass that along to the client.
Or take the hit yourself if the project is worth the money.
Things like this scare me as I would never want to be responsible for such important information.
phpScott
You could always get them to set up a paypal account of the like and use https as suggested that would eliminate the whole cc issue.
Otherwise I would encourage you to see check out some 3rd party processors and see what kind of you deal you can get as a possible reseller of their system and pass that along to the client.
Or take the hit yourself if the project is worth the money.
Things like this scare me as I would never want to be responsible for such important information.
phpScott
Hi,
Alto people dont mind paying for goods over the phone with credit card, giving all the details to a real person
But I know what use are saying ..
For a small one off project, would sending some of the data via mail() and store the rest in db, short term while the transaction is made then delete the record(s) be secure (pluasable) enough for the small type of project?
Thanks
Alto people dont mind paying for goods over the phone with credit card, giving all the details to a real person
But I know what use are saying ..
For a small one off project, would sending some of the data via mail() and store the rest in db, short term while the transaction is made then delete the record(s) be secure (pluasable) enough for the small type of project?
Thanks
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
Just as a summary, even, let's say you keep it for one hour, then there is still a chance that someone could have compromised your system and is waiting.
Regardless of how small the possibility is one should always have it in mind, the possibility exists that You would be that one, which will most likely be set back for life. Very small, but yet perhaps the consequence is even to great to consider running on your own server.
(I myself would not ever do this unless it was hosted on a trusted domain for these kind of transactions, just take a guess, how many attacks have there been against a paypal-account, I'm guessing more than one, and just thnk commercial servers, Your server is likely a great target, (just think of the phpBB-bug))
Not saying you should one or the other, but be clear in mind on what could happen if something went wrong.
Regardless of how small the possibility is one should always have it in mind, the possibility exists that You would be that one, which will most likely be set back for life. Very small, but yet perhaps the consequence is even to great to consider running on your own server.
(I myself would not ever do this unless it was hosted on a trusted domain for these kind of transactions, just take a guess, how many attacks have there been against a paypal-account, I'm guessing more than one, and just thnk commercial servers, Your server is likely a great target, (just think of the phpBB-bug))
Not saying you should one or the other, but be clear in mind on what could happen if something went wrong.
- CoderGoblin
- DevNet Resident
- Posts: 1425
- Joined: Tue Mar 16, 2004 10:03 am
- Location: Aachen, Germany
Agreed ... I recommend looking for a 3rd party solution.
There is nothing wrong with telling a client that you cannot do something providing you also provide reasoning behind it. In fact I have often found "Unfortunately I am unable to do that because, although I have looked into it, the security issues are such that you need an expert and I would recommend a third party handles it. This is to ensure you get both value for money and the security you and your customers need." actually enhances the trust between a client and myself and leads to more work. The key is getting the customer to accept that you are not prepared to give them a "poor" solution, not you are afraid of any legal complications.
Of course if you said to the client earlier (even worse is if it's in writing) that you would provide a credit card system you could well be in trouble. I would suggest googling as a lot of techniques involved are more than simple PHP.
There is nothing wrong with telling a client that you cannot do something providing you also provide reasoning behind it. In fact I have often found "Unfortunately I am unable to do that because, although I have looked into it, the security issues are such that you need an expert and I would recommend a third party handles it. This is to ensure you get both value for money and the security you and your customers need." actually enhances the trust between a client and myself and leads to more work. The key is getting the customer to accept that you are not prepared to give them a "poor" solution, not you are afraid of any legal complications.
Of course if you said to the client earlier (even worse is if it's in writing) that you would provide a credit card system you could well be in trouble. I would suggest googling as a lot of techniques involved are more than simple PHP.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Hi,
Thats what im saying, im not storing it, just thought have part sent using mail() and store the rest in db, extract the record and delete it.
That way, not all the data is being posted across via mail there for making it harder for the data to be hijacked.
More risk of the purchaser being key logged, or stolen by giving the numbers out over the phone while paying bills. The risk is everywhere really.
So wouldnt that make the data harder to hijack?
Thanks
Thats what im saying, im not storing it, just thought have part sent using mail() and store the rest in db, extract the record and delete it.
That way, not all the data is being posted across via mail there for making it harder for the data to be hijacked.
More risk of the purchaser being key logged, or stolen by giving the numbers out over the phone while paying bills. The risk is everywhere really.
So wouldnt that make the data harder to hijack?
Thanks
I think he wants the following:
1. user wants to buy and gives info
2. info is send to the company agent or whoever does the charge
3. the charge is done manually by a real person
4. info is destroyed
This task is not that kind of a headache than online transaction is.
Use SSL to make the dataflow secure. If you use mail use a signature mail to the company. It has to be crypted. You could divide the info up into several mails to be even more secure.
The company would have to do the same thing they do when using a phone given credit card number.
Storing a credit card is somehow a must for a company. If the merchandise is broken etc you might need to refund etc. The card # should just not be stored at an openly accessable system.
1. user wants to buy and gives info
2. info is send to the company agent or whoever does the charge
3. the charge is done manually by a real person
4. info is destroyed
This task is not that kind of a headache than online transaction is.
Use SSL to make the dataflow secure. If you use mail use a signature mail to the company. It has to be crypted. You could divide the info up into several mails to be even more secure.
The company would have to do the same thing they do when using a phone given credit card number.
Storing a credit card is somehow a must for a company. If the merchandise is broken etc you might need to refund etc. The card # should just not be stored at an openly accessable system.
Ok, bottom line I'm saying is... you know of the recent phpBB-bug? which allowed people to inject code a little how they wanted in the system if I'm not mistaken... or just your password being hacked...
They would have full access to the code, then mail all secure information (or by other means) by a simple modification to the code. And you wouldn't even know about it. (regardless of if you store it or not)
In the end, the server it is hosted on must be secure, a commercial server is not, and not your own unless you would have good skills on security and software.
I'm guessing any server hosting transactions of any kind is a likely target for attacks, especially pages that look "home made" or on personal servers as there are likely holes and easy passwords.
So if you go ahead, be sure that you can trust the server and software. That is my advice, but keep in mind, small chance, but if it happened, your life would likely be totally ruined.
I would without doubt use PayPal, and are you sure it really requires the customers to register an account? I believe it can be paid with a card without having an account.
They would have full access to the code, then mail all secure information (or by other means) by a simple modification to the code. And you wouldn't even know about it. (regardless of if you store it or not)
In the end, the server it is hosted on must be secure, a commercial server is not, and not your own unless you would have good skills on security and software.
I'm guessing any server hosting transactions of any kind is a likely target for attacks, especially pages that look "home made" or on personal servers as there are likely holes and easy passwords.
So if you go ahead, be sure that you can trust the server and software. That is my advice, but keep in mind, small chance, but if it happened, your life would likely be totally ruined.
I would without doubt use PayPal, and are you sure it really requires the customers to register an account? I believe it can be paid with a card without having an account.
If you wanted to subscribe to some fancy computer magazine, would you send off a postcard with all your credit card details on it and expect it to be only read by you and the recipient?Jim_Bo wrote:Hi,
Thats what im saying, im not storing it, just thought have part sent using mail() and store the rest in db, extract the record and delete it.
That way, not all the data is being posted across via mail there for making it harder for the data to be hijacked.
More risk of the purchaser being key logged, or stolen by giving the numbers out over the phone while paying bills. The risk is everywhere really.
So wouldnt that make the data harder to hijack?
Thanks
Emails are as secure as post cards.
You are dealing with other people's money. If you aren't an expert in security, leave it to those who are. Paypal is a secure and easy-to-set up alernative.