siavash1979@xxxxxxxxx wrote:
Thanks a lot every one. These are great replies.
I guess I should have explained a bit more about what I'm doing.
first of all, this is not my site, it's for a client of mine.
second, I did suggest using a paypal API or a paid site to take care of this,
but my client said no. She has a credit card processing account and how she
works with it right now, is that interested users email her, she calls them,
gets their credit card info and charges their card manually without the card
present.
so, this is not really my problem, it's what she's been doing before and wants
to continue doing. All she asked me to do is that as part of the form that
people send their requests through, now she wants their credit card info as
well. So that she doesn't have to call them.
Then *SHE* has to obey the rules laid down by the provider of that service.
She may well be breaking the rules if she does not take the card number over
the phone. The second you ask for a credit card number electronically you need
*ALL* of the security you can get. I have seen a number of cases of sites that
did not follow the rules and within minutes of a transaction being completed
the card number is being used on the other side of the world !!!!
( My next door neighbour got stung after using the British Airways site - one
you would have expected to be secure )
And the reason I'm keeping cc info in the session for a few steps, is to take
them to confirmation page, and then the reciept page. and after wards, I want
to keep it in there untill the client logs in to the admin page and sees new
requests, charges them and then deletes them for ever.
So now I've got two different responses, some people say do it, but use
encryption/decryption methods, and some people say don't do it. But if I don't
do it, that means I tell my client that I can't do it and I lose the job.
Some jobs you do walk away from. One has to know when it is worth all the time
you are going to pump into solving a problem that you will not actually get
paid for. If YOU are setting up the security for using Credit Cards *YOU* may
well be held liable when it gets cracked. So it is safer to pass the risk to
the card companies where possible and use an existing security system where
someone else takes the blame.
Starting point - what does it say in the agreement that your client currently
has with her credit card account?
--
Lester Caine - G8HFL
-----------------------------
Contact - http://home.lsces.co.uk/lsces/wiki/?page=contact
L.S.Caine Electronic Services - http://home.lsces.co.uk
MEDW - http://home.lsces.co.uk/ModelEngineersDigitalWorkshop/
Treasurer - Firebird Foundation Inc. - http://www.firebirdsql.org/index.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
