Secure PHP - Credit Card processing system

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Secure PHP - Credit Card processing system

Post by kaisellgren »

Where ever PHP is outputting the CC, make sure you have placed a proper encryption on the transmission. That is, if you are sending an email, encrypt (PGP). If you are sending a query to the database, encrypt the database connection.

The security of storing Credit Card information is considered as the single most important fact. It is a must to have a third-party to review your application and to do several penetration tests.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Secure PHP - Credit Card processing system

Post by Eric! »

Just an aside suggestion. If this is a professional business with trusted clients, why not just sent them a notification of a bill that is due, when it is due and they could just pay then with an online service like paypal. You could even use paypal billing if you wanted. That way you don't need to handle the card data.

https://www.paypal.com/cgi-bin/webscr?c ... &nav=2.2.1

They can even pay paypal invoices by phone or fax for people who are afraid to give cc data out over the internet.
https://www.paypal.com/cgi-bin/webscr?c ... &nav=2.0.5

Maybe once you can explain the choices/difficulty to the client their requirements might change.
Post Reply