Credit Card

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
spartan7
Forum Commoner
Posts: 29
Joined: Sun Jun 19, 2005 12:09 am

Credit Card

Post by spartan7 »

How safe is it to have credit card details emailed in a form and then processed manually ?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Not very safe, nor is storing the information on your own servers. Third party processors are generally the safest, as it shifts the liability to them.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Credit Card

Post by Christopher »

spartan7 wrote:How safe is it to have credit card details emailed in a form and then processed manually ?
I would guess that it is probably illegal in most places to do that or would also probably be in violation of the credit card's rules.
(#10850)
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Might want to look into Visa's Cardholder Information Security Program (CISP) or Mastercard's Site Data Protection program (SDP) which are both based on CPI Data Security Standards. You should find a lot of Do's and Don'ts.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

You could use something like PGP to encode the emails...
(#10850)
User avatar
akimm
Forum Contributor
Posts: 460
Joined: Thu Apr 27, 2006 10:50 am
Location: Ypsilanti Michigan, formally Clipsburgh

Post by akimm »

Ok, maybe I don't know what I'm talking about, but I can say a few things I think are helpful :-)

1) use POST not GET in any instance of important info exchange.
2) if you use sendmail or mail() there are many problems, use something like swiftmailer.
3) this is where I speculate, bare with me, but why not use serialize() so the data not *normally* human readable, ( I use astrisks on normally, because I wonder if a few geniuses on this site can read bianary hehe).

I hope this was helpful.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

akimm wrote:1) use POST not GET in any instance of important info exchange.
This is what we call security through obscurity, which infact is not security at all. POST content can be sniffed just as easily at GET content.
akimm wrote:3) this is where I speculate, bare with me, but why not use serialize() so the data not *normally* human readable, ( I use astrisks on normally, because I wonder if a few geniuses on this site can read bianary hehe).
Once again, a simple unserialize will retrieve the original data. Not safe.
User avatar
akimm
Forum Contributor
Posts: 460
Joined: Thu Apr 27, 2006 10:50 am
Location: Ypsilanti Michigan, formally Clipsburgh

Post by akimm »

Since you seem to have a much clearer grasp, do the programmer a favor and tell him or suggest at least what to do. I gave my most earnest attempt.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I thought it was already pretty clear that the question was answered.
User avatar
akimm
Forum Contributor
Posts: 460
Joined: Thu Apr 27, 2006 10:50 am
Location: Ypsilanti Michigan, formally Clipsburgh

Post by akimm »

i didn't realize that, (that wasn't to call you out), I just felt as if since I gave wrong info, I'd like to see the proper info provided, I hate doing wrong for people.

to me, it just seemed unanswered still. Excuse me if I offended.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I don't see any uncertainty - sending a CC number by email is simply not done. So don't do it. If someone wants your credit card number for a regular service payment they should have a self or 3rd party service under SSL - not email. If it's a once off payment between parties you should consider exchanging payment through Paypal.
Post Reply