|
Posted by Richard Lynch on 01/31/05 20:37
Angelo Zanetti wrote:
> this might be slightly OT but I know that the list has quite a
> knowledgable crowd =) So here is my situation:
>
> I have a client who I have developed a site for in PHP it provides
> various models for shares forecasts, the way it works is that people
> register for free (with their credit card details-https) now if they
> are
> not satisfied after a month they must just unsubscribe. If they have
> not
> unsubscribed after the first month they become a customer and each
> month
> their credit card is charged the relevant amount depending on what
> they
> have subscribed for.
>
> Now our the complication is as follows: I know that storing client's
> credit card details online is a big NONO, so we would have to move the
> credit card details offline when they register. Im not sure how to go
> about this. Whether to save the details in text files somewhere else
> on
> the server or save to text files not on the server but another
> location.
>
> Can anyone recommend/advise the best way to do this, also what type of
> encryption should I be using for the credit card info?
The SIMPLEST way to do this is to charge their credit card with a
recurring charge when they sign up, and then just THROW AWAY their credit
card number.
Your credit card processing vendor then has to remember their credit card
number, not you.
You'll get a one-time transaction identification from the credit card
server that you can use to manage their account -- You can then use THAT
one-time transaction number to cancel their account, issue refunds, etc.
without remembering their credit card number at all.
You MIGHT even be able to set this recurring charge to not start until a
month later, so you're all set. Given the sheer number of sites and
services that have a free trial period, it's very very very likely that
the credit card vendors are already all set up to handle this for you.
If not, you can almost for sure set the recurring charge, then reverse out
the first month's transaction, leaving the rest intact, so they get their
free month.
You do *NOT* want to store their credit card info *ANYWHERE* at all,
period, if you can avoid it.
For sure, you do *NOT* store it in a text file on that server, and
probably not even in a text file on some other server.
If you absolutely MUST store their credit card info, re-post again,
explaning WHY, and you'll get some advice.
Be warned that that advice will probably involve buying more computer
hardware, and hours and hours of setup, as well as a physically secure
location, and an independent audit by a security expert, and ... Let's
just say "Lots of time and money"
Go read the credit card vendor's manual -- I'm willing to bet you can have
a solution in hours that doesn't involve you storing credit card numbers.
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|