Page 1 of 2

credit card processing

Posted: Tue Jul 24, 2007 2:06 pm
by bluesman333
I'm unclear on exactly how credit card processing will work.

To be compliant with credit card company regulations, you must provide users with a page to confirm the details of there order before submitting. But, how do you do this without storing the password somewhere?

You have a page that collects the credit card number and POSTs to a page to confirm. If you are not saving passwords anywhere, how do you then POST to the payment gateway?

Posted: Tue Jul 24, 2007 2:22 pm
by miro_igov
Simple. Why you need to store anything in order to POST it? cURL may be of interest.

Posted: Tue Jul 24, 2007 4:16 pm
by bluesman333
I am using curl to send the data to the payment gateway. But, how do I get the cc number to the script that sends to the payment gateway without saving to db?

Posted: Tue Jul 24, 2007 5:55 pm
by Ollie Saunders
You store whether they are logged in or not in a session. You never need to store a password at all anyway because you can compare hashes of it.

Posted: Tue Jul 24, 2007 8:18 pm
by Begby
Can't you confirm the details of the order *before* taking their credit card info?

Posted: Wed Jul 25, 2007 3:39 am
by miro_igov
bluesman333 wrote:I am using curl to send the data to the payment gateway. But, how do I get the cc number to the script that sends to the payment gateway without saving to db?
By adding a form which collects the cc details and posts to the processing script. User must enter the CC info just before the processing. Then you process and return status.

Posted: Thu Jul 26, 2007 2:09 pm
by Rod
I'm dealing with a similar problem.

I currently have a billing.php page which collects the user's credit card info. The submit button on billing.php submits this info to check_credit.php.

check_credit.php uses the post variables and curl to submit the payment to the credit card company and returns status.

Note that both billing.php and check_credit.php check a session variable called "current" to see if it contains "billing". If it doesn't, the script redirects the user to another page.

However, my concern is that check_credit.php can be executed while the user is on billing.php (i.e. by opening up another window and typing in http://.../check_credit.php.)

So I would like check_credit.php only be able to be access once the user has submitted his/her credit card info.

Any help is appreciated. Thanks! :)

Posted: Thu Jul 26, 2007 3:35 pm
by miro_igov
you can write POST checking script in check_credit.php but this easy could be hacked so maybe adding session variable in billing.php is good idea.
Then just check the session variable and allow check_credit.php or deny

Posted: Thu Jul 26, 2007 4:09 pm
by Rod
miro_igov thanks for your reply :)

However, I'd prefer not to set a session variable in billing.php, because then the user just has to be on billing.php to access check_credit.php.

I'd like it for the user only to be able to access check_credit.php when the submit button is hit on billing.php.

Posted: Thu Jul 26, 2007 4:21 pm
by miro_igov
then add a hidden field named __post with value 1 and on check_credit.php use

Code: Select all

if($_POST['__post']=='1') { // do the processing }
but this could be hacked

Posted: Thu Jul 26, 2007 4:23 pm
by Rod
Yes, as you say it could be hacked. Is there no completely secure way?

Thanks for ideas :)

Posted: Thu Jul 26, 2007 4:25 pm
by miro_igov
Session. And another session variable in the cases when you want to go directly at check_credit.php

Posted: Thu Jul 26, 2007 6:12 pm
by superdezign
Rod wrote:miro_igov thanks for your reply :)

However, I'd prefer not to set a session variable in billing.php, because then the user just has to be on billing.php to access check_credit.php.

I'd like it for the user only to be able to access check_credit.php when the submit button is hit on billing.php.
Just make sure you keep the session active from file to file. I oftentimes forget that not every PHP programmer uses sessions as often as a lot of us do, but I have sessions active on every page. Just keep the session up. It's the most secure method.

Posted: Thu Jul 26, 2007 7:45 pm
by bluesman333
ole wrote:You store whether they are logged in or not in a session. You never need to store a password at all anyway because you can compare hashes of it.
I typed wrong. I meant to say save 'credit card number' not 'password' - big difference. Completely different issue. Allow me to explain again.

Lets say I want to have a page where I collect the credit card number. After collecting the number I want to allow the user to confirm the details before submitting the transaction to the payment gateway. What do I do with the credit card number while the user is on the confirmation page?

I'm using authorize.net as my gateway. I know that I can use transaction type AUTH_ONLY to authorize the credit card. I'm thinking that I can then do a PRIOR_AUTH_CAPTURE on the confirmation page, but I'm unsure of the results this will produce since I'm still using a test account and haven't been able to test this.

I'd like to know if it's possible to do AUTH_CAPTURE and be able to give the user a confirmation page.

Posted: Fri Jul 27, 2007 3:21 am
by miro_igov
You can use AUTH_ONLY and when you decide to CAPTURE the funds or refund the auth. Authorize.net has bunch of documentation about this.