Page 1 of 1

PHP, MySQL, E-Commerce Security Questions

Posted: Mon Jul 28, 2008 11:43 am
by <br>
http://www.JReidyWebDesign.com

This is the Web Store I'm building in PHP/MySQL. Right now, the customer login information (email address, password) is simply stored in a MySQL table. I need this to be secure... should I get an SSL certificate? Will that keep my MySQL databases secure? I also need security for my checkout process, but I don't want to buy a shopping cart. What do I need to get this done... I want to be able to keep customers on my page and want to set up credit card processing... what is the best option for securely processing credit cards (low volume)?

Re: PHP, MySQL, E-Commerce Security Questions

Posted: Mon Jul 28, 2008 12:51 pm
by Christopher
You absolutely need to use HTTPS to accept credit card submissions, as well as customer information. There are several free shopping cart systems: osCommerce, ZenCart, Magneto, etc. You can use simpler payment systems like Paypal. Check with your bank to find out what credit card processors they support.

Re: PHP, MySQL, E-Commerce Security Questions

Posted: Tue Jul 29, 2008 10:02 am
by <br>
I am building this site for somebody else, so I guess I'll have to figure out what they want to do as far as processing goes, but in order to get running on https:// what do I need to do? Does godaddy.com have a good secure server service? I already have a basic shopping cart calculating subtotal, so I figure I don't really need to use zencart or anything like that... Can I just have the person enter all billing information (to session variables maybe?) on a secure server and send it directly to a processor, destroy the session variables, then put them back into a non-secure server? Does my client need to look into a merchant account?

Re: PHP, MySQL, E-Commerce Security Questions

Posted: Tue Jul 29, 2008 12:04 pm
by WebbieDave
SSL will encrypt data from the user's computer to your server. It will not prevent others from trying to hack into your database and steal the information stored therein. You (or your host) need to secure the database server application as well as the server on which it resides. It is also important for you to ensure that any sensitive information stored in the database is encrypted.

Re: PHP, MySQL, E-Commerce Security Questions

Posted: Tue Jul 29, 2008 1:51 pm
by <br>
Well, I guess I need SSL & secure hosting including secure MySQL server.

I also need to process credit cards, but that could potentially be done completely separate... I could store the credit card information in a secure database and just copy it into a processor's administration area manually when I want to bill?

Does anybody know of a good/cheap package of some kind that accomplishes this? I've built item/category management, log-in, a shopping cart, etc. so I don't want to pay for one of these comprehensive systems that does EVERYTHING. I only want log-in security and secure credit card processing for my already existing framework.

Thanks for your advice... I have never had to install security measures & CC processing the hard way like this...

Jacob

Re: PHP, MySQL, E-Commerce Security Questions

Posted: Wed Jul 30, 2008 12:33 pm
by mabwi
You absolutely cannot store credit card information. Well, it can be stored, but you need something better than shared hosting to do it. If the customers end up entering payment information on your site, you would send it to the payment gateway with whatever service they use, and it would never get to the Database whole. You can chop out the middle 8 CC numbers and store the rest for records.

Look in to an open-source cart, any of the ones previously named is fine. You'll need to get a payment gateway, as well, but you may just want to leave that for your client to handle as they need to coordinate with their bank merchant account. PayPal is a default option, if nothing else is available.

If you want to learn how to do this right (and you should if people are paying you to do it for them) check out owasp.org.

Re: PHP, MySQL, E-Commerce Security Questions

Posted: Wed Jul 30, 2008 6:26 pm
by <br>
Thanks mabwi... I think I'm probably going to end up implementing Website Payments Standard with Cart Upload (so people can stay on the site until clicking "proceed to checkout". I've been looking into this credit card processing crap for a few days and the more I read the more confused I get...

In order to run through a merchant account, I would need a payment gateway, an SSL certificate, a secure server (https), AND a company to actually process the charges? I understand that the gateway is responsible for sending the information securely between you and the processor, but what about sending the information between you and the gateway? Does the gateway supply security for this part of the transaction, or are you still responsible for the information when going through a gateway?

Since I'm designing sites for small business, I'm sure that nobody involved wants the kind of responsibility involved in dealing with CC numbers yourself. But, what about those people who don't want to send their customers to paypal's site for checkout but don't want to pay for a dedicated server and so forth... I'd like to keep people on my page for checkout but it seems hard to do without paying out the ass and being a server/security expert...