Richard Miller wrote: > what > are the best practices for a *small* site to accept credit cards? I > have a couple of clients with small sites that would like to accept > credit cards. Supposing PayPal is out of question (because it doesn't > quite look as professional), what sort of payment gateways have you all > used? > Is it okay to use shared hosting with a payment gateway? Yes, but... I once tried to set up a site using CardService / LinkPoint some time ago -- somewhere around 2002 or 2001, I guess. After going around and around with them to get them to send me the PHP interface instead of the Perl interface they initially sent (Grrrr!) which took weeks and weeks on end... Testing their PHP interface, I found that they were storing the credit card info ON DISK temporarily in their processing algorithm. IE, their PHP binary dumped the credit card info to a /tmp file, then invoked a function that would read the info in that file and process it. On a shared server, this meant that all the credit card info was accessible to every other PHP user on the shared server! What's worse, it would probably not be that hard to forge bogus charges and run them through by another user running my PHP scripts and/or their API. I immediately reported this flaw to their security division, as their documentation requested, and called the Sales Guy to register my complaint with him. I surmised that their binary file wasn't thread safe, which was why they were doing all this -- to avoid two PHP/Apache children running their code at once. Meanwhile, I had gotten that monthly $25 fee invoice, and had called the Sales Guy and said that I wasn't paying $25 until we actually had SECURE transactions running, and asked him to switch me over to "testing" status. I had hoped to get up and running fast by starting off in "real" mode, but hadn't counted on them selling me insecure software! He said he'd do it, and to not worry about the $25 fee, which would only kick in once it went back to "live". I continued to get the montly invoice *BUT* the balance owed was always just $25 -- the current fee, and it didn't build up, so I figured it was just a really weird billing system. (Actually, it *was* a really weird billing system in other regards too) After going around and around with the Sales Guy -- who could only claim "but it must be secure!" and getting zero response from their security division, I just plain gave up and told my Sales Guy to cancel my account and send me a refund if they couldn't get their act together. My position was they sold me an insecure product. I never got the refund. Much worse, after a couple years, I got this letter from some Collections agency! Apparently, they had never switched me over to the testing mode, and their Total Due on the bills was always $25, but they thought I owed them over a thousand dollars! Needless to say, I was *BACK* on the phone with Sales Guy, and eventually brow-beat him into getting me in touch with Security Division, who admitted that their earlier versions (up until Feb 2004) were not suitable for deployment on a shared server. IE, the security flaw I had notified them about within a day of testing was for real, and my Sales Guy was 100% wrong. Anyway, I eventually got them to reverse out the monthly fees from all that time, and get Collections Agency off my back. But I *NEVER* got them to refund the $495 for a useless Certificate :-( I can only say that, even though they are now "secure" for a shared server with PHP, I sure can't recommend CardService nor LinkPoint! Maybe if they gave me back my $495 from the useless Certifcate, but, frankly, the sheer amount of my time they wasted with their Sales Guy's endless lies and sheer stupdity make me doubt that I'd ever recommend them. I guess my point is that you're doing the right thing to ask around, but these guys came recommended from somebody I trusted -- only he wasn't on a shared server, so simply wasn't in the same ball-game I was in. Be sure that you specifically check for shared server support and suitability, and you see it in their security documentation, not just some Sales Guy saying "Yeah, sure, it must be okay." To make this long story short, my personal recommendation from a single data-point is: Stay away from CardSevice and LinkPoint. Others may disagree, of course. :-) > One of > my clients already has a physical card-swipe merchant account. Should > I contact their bank to see what online options they offer? I'll chime in with a definite YES on this one. If nothing else, you'll have less process management on the back-end of the sales, as all your credit card stuff will come in one report, from one place, at one time, instead of having to reconcile two sets of credit card reports. Short term, it might seem like they're "more expensive" but when you consider what all you'll have to go through on a day-to-day process for the accounting of the sales, you may realize that the Total Cost of Ownership for this is a better "deal" than saving a few bucks a month in fees. If they are *way* out of line, then maybe think about setting up a new package deal for on-line and brick-and-mortar with somebody who will give you a better deal on both. PS I'm also interested in seeing responses to this, so please summarize any off-list response. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
