Whilst currently selling items by mail order through my website, I'm looking to soon accept credit card payments and I was wondering if someone out there who has done it could tell me what is the best way to go about it with regards to security. I'm guessing there isn't one 100% secure way of doing it but what is the most secure way of having someone fill in a form on the website, me receiving the details which I can then process.
Thanks
:o

You can use a PHP/MySQL system, when written properly would be pretty secure. Regarding payment security, you can use a SSL certificate to implement https: < that means that the connection from the client's browser to the server has been encrypted and can not be read by anyone else as it is encrypted.

Jamie :)

Thanks, will look into it.

Okay - btw, to use a S(ecure) S(ocket) L(ayer) on your site, you need to get a web host that supports it and have a certificate (which you have to pay for) which basically states that it is a secure connection which your browsers are entering ;)

Hi
By investigating my isp's homepage I see that it supports SSL as indicated here:
"As a PlusNet subscriber, your Web space is situated on a server that both supports SSL and has the appropriate certificate. The name of this server is ftp.plus.net. You may therefore specify that visitors to a particular Web page address the server using SSL and so gain an encrypted connection."

There is also a cgi script available to use of an email form which includes:
"Make it secure
If you wish to use a secure form to collect sensitive information, you can do so using https:// instead of http:// both in the code for the form and to reference the page containing the form....."

Is it as simple as this to collect people's credit card and address details from a webpage and have them sent to me? Or am I overlooking/missing something?

Has anyone done this at all?

Thankyou

Paul

So far, the security question is only partially answered. The SSL communication to the client PC only encrypts the data transferred between the client PC and the web site host. Security, once the host has the info, has not been addressed.

This can be a daunting task but as far as payment processing is concerned, it can also be simplified. My advice would be to research online payment gateways and find one that will meet your needs in cost and features. As long as you pick a name brand, the API between your site and their host should be covered. My strongest suggestion, and what would reduce some of the security concerns on your site and host, would be to pass the detailed cc info to the gateway for an online approval and then, once approved, only store the card type and last four digits of card number in your system. This way, even if your site were hacked, no critical info related to payments would be compromised.

Hope this helps...

Hi thanks for the reply

I do actually already have a merchant account and machine to punch the card numbers etc into which then get checked. As I receive these details already by post and phone, I was looking to extend it so people can enter them in an email form which gets sent to me. Thats really the only "online" bit i need to set up.
My idea was to receive the card details, print them out to process and then delete them from my computer. There's probably a simple way for me to do it but I like to check all avenues - this being the best place to do just that :)


Cheers
Paul

...I do actually already have a merchant account and machine to punch the card numbers...My idea was to receive the card details, print them out to process and then delete them from my computer...
It is simple but breaks several CC regs. First, e-mail is not secure -- it is sent in plain text from point-to-point through one or more e-mail servers that are not secure either. Reg wise, any transactions that takes place over the Internet and is not customer or card authenticated (meaning a clerk does not physically handle the card and verify the cards authenticity), must go through the payment network as an e-commerce merchant setup. In addition, e-commerce transactions, for best discount rate and charge-back defense, require additional data that cannot be (legally) stored in a database or file (including an e-mail message).

You will need to get another merchant account for your e-commerce transactions and make use of a gateway for handling these transactions directly in you web site -- no e-mail transfer of cc info. Since you already have a merchant account, talk to your merchant service provider. Most will lump you monthly minimums and other fixed fees into a single account and only charge an account setup meaning that your monthly expenses, other than possible gateway fees, will not increase for having the second merchant account.

Good luck and sorry...

Is PayPal an option?

People don't even need an account to use paypal, it now offers the ability to pay directly with a credit card.

I know its not the most professional looking thing but its quite trusted and known.

You need to set up the Business Account option, but it doesnt cost anything to set up, you just pay a transaction %.

Thanks chaps. Much appreciated. The merchant provider do have a service for internet stuff so I'll check with them. I may consider PayPal as an extra option but I thought you had to have a PayPal account in order to pay someone elses PayPal account. Either I've understood that wrong or its changed.
Will look into all avenues. Thanks again guys for your help.

Paul

Look on www.dryrise.com
Click on the ORDER NOW button and see what happens... it says "pay securely with credit/debit card (no account needed!)
I think its a new feature!