PHP - Credit Card - Ajax
Posted: Thu Nov 12, 2009 4:30 am
Hi,
I'm the new guy, basically I'm just looking for some reassurance that I've covered my bases.
I have a client who wanted credit card capture in his project, TBH I wasn't all that keen but I've obliged.
This is what I have, let me know if I need to tighten up in some area's or am I good?
1) The whole process is over https
2) user enters cc details.
3) I validate them for presence, length and luhn in js
4) All good I send to my controller via ajax over https. This is where I get nervous. This is all unencrypted/plain text to the controller.
5) I run some similar validity checks in php + a few eregi_replace() parse's then boom into the database it goes.
The controller(s) are "protected" from direct access via .htaccess and I feel I'm okay, but (4) sits a bit rotten. I've played with the idea of my own kinda "shared key" that I could have in my system (set by session or db) that I could encrypt the details with but unsure if 1) it would really make a difference and 2) is it required, am I sweet already?
I realise this is probably a pretty common request, I'm not looking to get flamed for asking a thrashed question. I looked but didn't find any suitable info.
Thanks for any help.
I'm the new guy, basically I'm just looking for some reassurance that I've covered my bases.
I have a client who wanted credit card capture in his project, TBH I wasn't all that keen but I've obliged.
This is what I have, let me know if I need to tighten up in some area's or am I good?
1) The whole process is over https
2) user enters cc details.
3) I validate them for presence, length and luhn in js
4) All good I send to my controller via ajax over https. This is where I get nervous. This is all unencrypted/plain text to the controller.
5) I run some similar validity checks in php + a few eregi_replace() parse's then boom into the database it goes.
The controller(s) are "protected" from direct access via .htaccess and I feel I'm okay, but (4) sits a bit rotten. I've played with the idea of my own kinda "shared key" that I could have in my system (set by session or db) that I could encrypt the details with but unsure if 1) it would really make a difference and 2) is it required, am I sweet already?
I realise this is probably a pretty common request, I'm not looking to get flamed for asking a thrashed question. I looked but didn't find any suitable info.
Thanks for any help.