I am currently working on a project where the client would like their visitors to be able to provide credit card information online.
An SSL certificate will be put in place to protect the information as it travels between client and server, however they do not wish to use PayPal or anything of the sort to process the payment. They want the credit card information emailed to them so they can process it themselves. The credit card information would not be stored anywhere, other than in the email I suppose, and it would be their responsibility to delete that promptly.
(Personally, I think they should go with PayPal to process payments for them and avoid the whole can of worms that comes along with receiving their customers' credit card numbers. If something goes wrong, you know who it will come back to
I do not have any experience with encryption, hence my apprehension about this project -- the closest I come is using md5 to hash passwords stored in a database.
I have taken a look at mcrypt in order to encrypt the credit card information. Would another webpage be needed in order to decrypt the information? Would mcrypt be "safe enough"? We do not have our own webserver, so how much trouble am I going to cause our server admin by using this?
I have also been looking at GnuPG, which has Outlook plugins available (though the most recent posts I can find about this are from 2002). This would allow the recipient of the email to decrypt it locally. But again, I'm not sure what needs to be installed on the server... our server admin is already complaining that when he rebuilds that box, it will be a nightmare since it's had so many customizations already.
So, I guess what I'm asking is: does anyone have experience with this, and what is the best solution?
Thanks for your time!