Re: Getting Credit card details

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, April 26, 2005 5:10 pm, Ross said:
> Here's what I want to do......

No, you just *THINK* you want to do that :-)

> I want to take Credit card details from customers.... number, expiry,
> security number and send them to my client who will put these through his
> card terminal in his place of business.
>
> Any suggestions how to do this?

Don't

> Secure Email, SSL any ideas will be gratefully accepted.

Making the email secure is simple enough.

You could use encrypt to encrypt it with the public half of a key-pair.

Then, at the other end, your client has to have the private half of the
key-pair, and use it to decrypt the data, and run it through.

And therein lies the problem.

Who has access to that private key?
Where will it be stored?
How will it be input to the computer, and then erased?
Who will be able to see the decrypted data?
Is his POS right next to his computer, or will he print it out, and then
carry it to the POS and run it through?
What happens to the print-out?

Sending the email securely is not the issue:  Keeping the CC#s safe at the
other end, is a HUGE issue, completely outside your control.

To do this PROPERLY, you'll need to come up with a 10-page manual, with
Process and Workflow and Policies and Procedures, and run through a
training program every employee who has to run the CC#s and...  And this
all has to be done with a very careful eye on SECURITY.  *MOST*
credit-card fraud is not on-line.  It's from minimum-wage short-term
employees on the paper-based system.  Just like you think you want to use.
:-)

Yet, if something goes wrong, guess who can be held responsible?

Yup.  You.

Last I heard, if YOUR programming causes CC#s to leak, *YOU* can be held
responsible for the losses.  Think about that long and hard, my friend.

Your client already has a Merchant Account with some bank somewhere. 
That's how he has the terminals already.

Dollars to doughnuts says that Merchant Account has an upgrade path that
lets him start taking orders on-line.  And you can do that safely with an
SSL server and any stock shopping cart you can download.

If his existing account won't let him upgrade to add on-line, there are
innumerable banks out there only too happy to take a cut for your on-line
Sales.

It may cost him a few more pennies, but the SECURITY of having the CC# not
be exposed is well worth it.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux