Securely sending Credit Card details

Without SSL and standard protections, this sounds very risky indeed.

If your friend is storing the numbers in any form, database, email, etc I would strongly urge using encryption. Storing this info is so risky, many ecommerce apps pointedly do not.

You might find some interesting open source code for this at SourceForge

If I get a secure certificate and put the contact form in the https directory on the server, will that be enough to encrypt the data?

What's your thoughts on this encrypt/decrypt function? Would this coupled with SSL be secure enough?

This thread has some good insight. I would recommend not storing CC data under any circumstances. If they want to process their card information online, have your website process the card on the fly and then discard the data.

I used to work at the front desk of Hotel, so I understand the need for the card when reserving.

I will have to look up what it is called, but if it will be e-mailed, there is program that he can set up on his computer that will receive the e-mails, it will generate a private key (for his computer to use to decrypt) and a public key (for you to set up on the server). Once this is set up and the script encrypts the data, only his computer will be able to decrypt it. On his computer, if he is using outlook (ouch anyhow), a button gets installed to it that when he received a message, he simply presses the button to decrypt it.

I personally would rather this method than have it just encrypted and stored on the server for him to log into same server and decrypt. IMO best to have encryption and decryption on separate machines. Even if you just save it encrypted, he goes there gets presented with a text box where he copy and pastes it to his program to decrypt. This way, even if the server gets hacked somehow, there is no script to find that will return the CC info.

This may seem as overkill, but I have seen the results of someone who got tired of the company he worked for... Nuf said.

Other suggestions on top of the obvious get a SSL for the page, store the IP addrerss filling out the page. For this type of transaction, let the customer know that due to the type of transaction, you require a reply to a confirmation e-mail to reserve. Store the ENCRYPTED data in the database, and e-mail it when the confirmation link is called, but delete it after say, 48 hours.

(For those that don't know the industry, the idea is, you reserve the room with a credit card, the room is held all night so you can arrive as late as you want, however, if you don't show up and don't cancel in enough time, you authorize the hotel to charge you for that night anyhow. So the cardholder was never there, yet they got charged, so this is a higher risk for chargbacks, so IMO best to have as much confirmation to back up a charge.)

Also, make sure you and the hotel management are up on the rules governing the storage of information such as the CVV code (on the back of the cards, front of AMEX). According to Visa and MasterCard's terms (which get agreed to by the banks, trickled down to clearing houses, trickled down to card processing companies, which trickles down to the end user who accepts credit cards) You are not allowed to retain CVV number other than for the processing of the current payment.

This day and age, credit card info is nothing to take lightly. With people using their cards for monthly automatic payments, it becomes a big hassle to request a new card because your old one was compromised, not just the inconvenience of waiting a few days for a new card.

-Greg

Thanks gregg thats great information. Priceless! If you could send over the name of the progrm if you discover it, that would be great! Thanks again.

phpcreditcard.com have software which sounds eactly like what you are talking about.

Does anyone have any experience of using phpcreditcard.com? Any feedback on this would be greatly appreciated.