On Mon, Apr 13, 2009 at 11:19 PM, Skip Evans <skip@xxxxxxxxxxxxxxxxx> wrote: > Hey all, > > I've always put any forms that collect credit card information behind a > secure connection, https, figuring that sending that information from the > client browser to the server should be secure, but I'm having convincing a > client that it is necessary. > > He instead insists that only the call to the credit card processor's server > needs to be secure and of course the processor supplies the connection > there. > > But doesn't also the form need to be secure since you're sending CC > information from that form back to the web site's server? > > That's what I've always assumed. > > I need some opinions on this, and if I'm right I think the client will defer > to a few more votes. > > -- It is absolutely essential. The form itself should be encrypted using SSL, and it should likewise only accept data that has been encrypted. If not, smart consumers will simply purchase elsewhere because they know their information is not being protected. In addition to lost sales, your client (and possibly you) could also get hit on the other end with penalties, increased processing fees, or loss of privileges from his payment processor if they find out that the site is not securing cardholder information. You (and your client) should read up on PCI compiance. http://www.pcicomplianceguide.org/ Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php