Could use a payment

mrgilb — Wed, 30 Sep 2009 15:13:52 +0000

Could use a payment processor like 2checkout or paypal or google checkout so your not depending on storing the card numbers etc.

The card information we

mikese — Sun, 12 Apr 2009 02:33:00 +0000

The card information we store gets taken offline right after the order the invoice is printed and card information is removed in the server database except the first four and last four digits of the card. Our offline server does store card information though which helps prevent fraud over time we've built up a long list of cards IP's and other information from fraudulent orders. With all the credit card comparison sites out now people are still getting cards and there is no way you can do business online without accepting them.

Thanks for posting this app.

pr0gr4mm3r — Mon, 24 Nov 2008 16:05:09 +0000

Thanks for posting this app. This looks like something I could use, or at least use this concept to code my own solution.

I'm not convinced it is necessary to use a Windows app for this, also that the necessary encryption could not be developed as a custom solution.

The idea is to store the encrypt & decrypt keys on separate, non-linked machines. As Greg said, it's best to separate the two. A Windows application is the best way to do this since most people don't have access to two web servers, and it's best to do the decrypting locally anyway.

I still do not like the idea of storing the credit card info.

I don't either, but an increasing number of my clients are requesting it.

I know, for example, that Ubercart stores the encryption key in a directory above the html root on the server.

That just protects you from an attack through Apache, which is just one of the many ways you could get compromised. There is still the top-level ftp account, control panel access, root account on the server, etc.

phpcreditcard.com looks like

decibel.places — Mon, 24 Nov 2008 14:41:23 +0000

phpcreditcard.com looks like a good service.

I'm not convinced it is necessary to use a Windows app for this, also that the necessary encryption could not be developed as a custom solution.

For $30 the price is reasonable.

I still do not like the idea of storing the credit card info.

As phpcreditcard.com notes, a secure server / SSL is necessary for PCI compliance.

I know, for example, that Ubercart stores the encryption key in a directory above the html root on the server.

phpcreditcard.com have

serpico — Mon, 24 Nov 2008 06:59:44 +0000

phpcreditcard.com have software which sounds eactly like what you are talking about.

Does anyone have any experience of using phpcreditcard.com? Any feedback on this would be greatly appreciated.

Thanks gregg thats great

serpico — Fri, 21 Nov 2008 22:59:02 +0000

Thanks gregg thats great information. Priceless! If you could send over the name of the progrm if you discover it, that would be great! Thanks again.

I used to work at the front

Greg K — Fri, 21 Nov 2008 15:00:05 +0000

I used to work at the front desk of Hotel, so I understand the need for the card when reserving.

I will have to look up what it is called, but if it will be e-mailed, there is program that he can set up on his computer that will receive the e-mails, it will generate a private key (for his computer to use to decrypt) and a public key (for you to set up on the server). Once this is set up and the script encrypts the data, only his computer will be able to decrypt it. On his computer, if he is using outlook (ouch anyhow), a button gets installed to it that when he received a message, he simply presses the button to decrypt it.

I personally would rather this method than have it just encrypted and stored on the server for him to log into same server and decrypt. IMO best to have encryption and decryption on separate machines. Even if you just save it encrypted, he goes there gets presented with a text box where he copy and pastes it to his program to decrypt. This way, even if the server gets hacked somehow, there is no script to find that will return the CC info.

This may seem as overkill, but I have seen the results of someone who got tired of the company he worked for... Nuf said.

Other suggestions on top of the obvious get a SSL for the page, store the IP addrerss filling out the page. For this type of transaction, let the customer know that due to the type of transaction, you require a reply to a confirmation e-mail to reserve. Store the ENCRYPTED data in the database, and e-mail it when the confirmation link is called, but delete it after say, 48 hours.

(For those that don't know the industry, the idea is, you reserve the room with a credit card, the room is held all night so you can arrive as late as you want, however, if you don't show up and don't cancel in enough time, you authorize the hotel to charge you for that night anyhow. So the cardholder was never there, yet they got charged, so this is a higher risk for chargbacks, so IMO best to have as much confirmation to back up a charge.)

Also, make sure you and the hotel management are up on the rules governing the storage of information such as the CVV code (on the back of the cards, front of AMEX). According to Visa and MasterCard's terms (which get agreed to by the banks, trickled down to clearing houses, trickled down to card processing companies, which trickles down to the end user who accepts credit cards) You are not allowed to retain CVV number other than for the processing of the current payment.

This day and age, credit card info is nothing to take lightly. With people using their cards for monthly automatic payments, it becomes a big hassle to request a new card because your old one was compromised, not just the inconvenience of waiting a few days for a new card.

-Greg

This thread has some good

pr0gr4mm3r — Fri, 21 Nov 2008 14:50:08 +0000

This thread has some good insight. I would recommend not storing CC data under any circumstances. If they want to process their card information online, have your website process the card on the fly and then discard the data.

What's your thoughts on this

serpico — Fri, 21 Nov 2008 07:56:09 +0000

What's your thoughts on this encrypt/decrypt function? Would this coupled with SSL be secure enough?

If I get a secure

serpico — Fri, 21 Nov 2008 06:11:39 +0000

If I get a secure certificate and put the contact form in the https directory on the server, will that be enough to encrypt the data?