Jochem Maas wrote: >unless you are a payment gateway or a bank don't touch credit card numbers. >there are plenty of threads in the archive of this list that give good reasons >not to e.g. being sued out of existence. > > 100% agreed. Never touch credit card numbers. You can't just take credit card numbers and manually process them in 'card not present' transactions (or MOTO in more archaic terms.) You need a merchant account that allows for this -- usually at a higher discount rate. Check the merchant agreement. Your client should get an account like this, or better yet, provide you with the instructions on how to integrate his site with the payment providers so that you never have to worry about credit cards. As an additional note... Maybe your SSL cert secures the numbers from the client to the server, and just maybe your PHP scripts have no security flaws in them, but you must remember the server itself and everything else outside of PHP. What if someone found a flaw in the FTP server for example, or the mail server even, and used that to get the CC info. I would hate to be explaining to a list of 1000 clients that I was responsible for their card numbers being stolen. Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
