You are here: Re: [PHP] Credit card storing, for processing « PHP « IT news, forums, messages
Re: [PHP] Credit card storing, for processing

Posted by Angelo Zanetti on 02/02/05 08:24

HI Richard,

thanks for the info. With regard to the setup it will be something more
or less like this:

I want to generate my own keypair. The private key I keep secure,
offline,
on the machine that does the admin (charging, refunds etc). The public

key is used on the server to encrypt card details the minute they
arrive
on the server (even using SSL, the data will arrive unencrypted
because the web server decrypts it).

Encrypted card details are written to file, and moved off the server
overnight by a cron job.

On the admin machine, offline, the details get decrypted when needed
to perform transactions, using the private key.

The admin box is on ADSL, but behind a firewall with no services or
ports
open to the internet. I.e it can initiate a connection to the server
on
the internet, but not the other way around.

Does this setup sound secure enough and a solution that can work?
What kind of encryption should I be using?

Point out any areas where you think I might be missing something or
going wrong.

Thanks in advance.
Angelo



>>> "Richard Lynch" <ceo@l-i-e.com> 01/31/05 8:37 PM >>>
Angelo Zanetti wrote:
> this might be slightly OT but I know that the list has quite a
> knowledgable crowd =) So here is my situation:
>
> I have a client who I have developed a site for in PHP it provides
> various models for shares forecasts, the way it works is that people
> register for free (with their credit card details-https) now if they
> are
> not satisfied after a month they must just unsubscribe. If they have
> not
> unsubscribed after the first month they become a customer and each
> month
> their credit card is charged the relevant amount depending on what
> they
> have subscribed for.
>
> Now our the complication is as follows: I know that storing client's
> credit card details online is a big NONO, so we would have to move
the
> credit card details offline when they register. Im not sure how to
go
> about this. Whether to save the details in text files somewhere else
> on
> the server or save to text files not on the server but another
> location.
>
> Can anyone recommend/advise the best way to do this, also what type
of
> encryption should I be using for the credit card info?

The SIMPLEST way to do this is to charge their credit card with a
recurring charge when they sign up, and then just THROW AWAY their
credit
card number.

Your credit card processing vendor then has to remember their credit
card
number, not you.

You'll get a one-time transaction identification from the credit card
server that you can use to manage their account -- You can then use
THAT
one-time transaction number to cancel their account, issue refunds,
etc.
without remembering their credit card number at all.

You MIGHT even be able to set this recurring charge to not start until
a
month later, so you're all set. Given the sheer number of sites and
services that have a free trial period, it's very very very likely
that
the credit card vendors are already all set up to handle this for you.

If not, you can almost for sure set the recurring charge, then reverse
out
the first month's transaction, leaving the rest intact, so they get
their
free month.

You do *NOT* want to store their credit card info *ANYWHERE* at all,
period, if you can avoid it.

For sure, you do *NOT* store it in a text file on that server, and
probably not even in a text file on some other server.

If you absolutely MUST store their credit card info, re-post again,
explaning WHY, and you'll get some advice.

Be warned that that advice will probably involve buying more computer
hardware, and hours and hours of setup, as well as a physically secure
location, and an independent audit by a security expert, and ...
Let's
just say "Lots of time and money"

Go read the credit card vendor's manual -- I'm willing to bet you can
have
a solution in hours that doesn't involve you storing credit card
numbers.

--
Like Music?
http://l-i-e.com/artists.htm

--------------------------------------------------------------------
Disclaimer
This e-mail transmission contains confidential information,
which is the property of the sender.
The information in this e-mail or attachments thereto is
intended for the attention and use only of the addressee.
Should you have received this e-mail in error, please delete
and destroy it and any attachments thereto immediately.
Under no circumstances will the Cape Peninsula University of
Technology or the sender of this e-mail be liable to any party for
any direct, indirect, special or other consequential damages for any
use of this e-mail.
For the detailed e-mail disclaimer please refer to
http://www.ctech.ac.za/polic or call +27 (0)21 460 3911

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация