Hi,
I'm building a site for someone where a purchase can be made. However the client doesn't want people to have to use paypal or any of those systems, he wants people to be just able to enter their credit card and billing details. What are the recommended design concepts for this kind of a system. It wouldn't be safe to store these details in a database, credit card's wouldn't be processed immediately, so how do you store this kind of information securely. Obviously SSL would be employed on the web server for these pages.
Thanks
Method's for credit cards
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Method's for credit cards
Where do you think major companies store their CC details?It wouldn't be safe to store these details in a database
It's not the database, it's the design and implementation and the system your running under that affect security the most.
You really need to reconsider explaining to your client the advantages of using PayPal. If your in the States, you can use PayPal to seamlessly carry out transactions, so endusers never even know PayPal was involved.
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Method's for credit cards
I know that paypal has gained alot of popularity in recent years, but I still shy away from doing anything with them. (Maybe I'm one of the few people left without a paypal account)?
What you need to research is an online merchant account gateway. http://www.authorize.net is a very large and well known gateway. They have both a simple interface that you can plug into your site or they have a webservice than you can fully integrate into your site. No CC details are stored by you. You simply push them along through the service and the service returns a yay or nay with confirmation or error codes for you to store. I believe authorize.net calls it the AIM for Advanced Integration Method and it should be available for download through the developer section of their website.
You'll also need a merchant account through a banking institution for the gateway to deposit the funds into. I had one setup through Wells Fargo years ago and they had a partnership with authorize.net, which is why I recommended them.
It's pretty overwhelming at first, but once you get the lingo whipped, its pretty cut and dry.
What you need to research is an online merchant account gateway. http://www.authorize.net is a very large and well known gateway. They have both a simple interface that you can plug into your site or they have a webservice than you can fully integrate into your site. No CC details are stored by you. You simply push them along through the service and the service returns a yay or nay with confirmation or error codes for you to store. I believe authorize.net calls it the AIM for Advanced Integration Method and it should be available for download through the developer section of their website.
You'll also need a merchant account through a banking institution for the gateway to deposit the funds into. I had one setup through Wells Fargo years ago and they had a partnership with authorize.net, which is why I recommended them.
It's pretty overwhelming at first, but once you get the lingo whipped, its pretty cut and dry.
Re: Method's for credit cards
Last time (and every time, actually) I worked on authorize.net integration they had horrible csv-like interface, misleading test mode and virtually no developer support options except their docs (mediocre, at best). And since they indeed are large, it's unlikely to change anytime soon. I wouldn't recommend them to beginners in this field.flying_circus wrote:http://www.authorize.net is a very large and well known gateway.
On the other hand, if you're considering setting up a merchant account and using it with a payment gateway, I'd advise you to make sure your company has a good lawyer. Some gateways have a habit to put funds on hold for no good reason (I certainly do not accept vague apprehensions to be a good reason to hold money you earned). If you ever get your account suspended it's not unreasonable to expect to not get your money for years.
Re: Method's for credit cards
Sounds like you'll have to use some merchant account.
There are three areas of concern, how you get the creditcard info from the customer. (This is where ssl / https comes in)
How you store it.
How you send it to the merchant gateway (almost all merchant gateways only allow https submits, so it's not easy to screw this part up)
This is one of those ultra scary things for you to do your first time. After you do two or three, you won't even hesitate on the next one.
Authorize.net can be a pain for the first time, you just HAVE to write tests... You HAVE to, or you will hate yourself. To add to the confusion there are three different ways to "test" with authorize.net, Live gateway - testmode, test gateway - livemode, test gateway - testmode. Just forget about the other two and make a test for the test gateway in live mode, or the live gateway in test mode You really only need one of them. I usually code into all my sites a page (protected by a .htaccess file so only my IP can hit it) that sets a session var to "test-mode". This doesn't change anything at all, except when I send the charge to the merchant I make it one cent. This allows you to easily and quickly put through a REAL charge with your card info and feel 100% confident that everything works great.
For encrypting the cc info in a db here's some pointers (IMHO)
1) Just don't worry about it. (Yes, this violates the PCI compliance rules, but you aren't going to be PCI certified anyways are you? I didn't think so.)
I've worked for big companies who grossed millions that didn't encrypt their cc info. Yes, it's BAD. I don't recomend it, but, if encrypting it seems tough, then just go for it, and go back and encrypt later.
or... 2) Use MySQL to encrypt the data. MySQL makes it uber easy to encrypt data.
The AES_ENCRYPT and AES_DECRYPT provide exceptional security, as long as you keep the key safe. I think you can use just about use anything as a key (could be tottaly wrong) but I have seen devs MD5 some password, then MD5 the output again and use that as the key.
I think I've blabbed enough.
Joey
There are three areas of concern, how you get the creditcard info from the customer. (This is where ssl / https comes in)
How you store it.
How you send it to the merchant gateway (almost all merchant gateways only allow https submits, so it's not easy to screw this part up)
This is one of those ultra scary things for you to do your first time. After you do two or three, you won't even hesitate on the next one.
Authorize.net can be a pain for the first time, you just HAVE to write tests... You HAVE to, or you will hate yourself. To add to the confusion there are three different ways to "test" with authorize.net, Live gateway - testmode, test gateway - livemode, test gateway - testmode. Just forget about the other two and make a test for the test gateway in live mode, or the live gateway in test mode You really only need one of them. I usually code into all my sites a page (protected by a .htaccess file so only my IP can hit it) that sets a session var to "test-mode". This doesn't change anything at all, except when I send the charge to the merchant I make it one cent. This allows you to easily and quickly put through a REAL charge with your card info and feel 100% confident that everything works great.
For encrypting the cc info in a db here's some pointers (IMHO)
1) Just don't worry about it. (Yes, this violates the PCI compliance rules, but you aren't going to be PCI certified anyways are you? I didn't think so.)
I've worked for big companies who grossed millions that didn't encrypt their cc info. Yes, it's BAD. I don't recomend it, but, if encrypting it seems tough, then just go for it, and go back and encrypt later.
or... 2) Use MySQL to encrypt the data. MySQL makes it uber easy to encrypt data.
The AES_ENCRYPT and AES_DECRYPT provide exceptional security, as long as you keep the key safe. I think you can use just about use anything as a key (could be tottaly wrong) but I have seen devs MD5 some password, then MD5 the output again and use that as the key.
I think I've blabbed enough.
Joey
Re: Method's for credit cards
do a google search for "phpcreditcard". It's a script I've written that does this the most secure way possible without having to setup a merchant account/payment gateway etc.
I wrote it when I had a similar client to yours - they didn't want to use paypal, and they have an offline business that accepts credit cards, and they want to run their online orders through their terminal.
I wrote it when I had a similar client to yours - they didn't want to use paypal, and they have an offline business that accepts credit cards, and they want to run their online orders through their terminal.