|
Posted by "Mark Rees" on 10/07/05 19:29
> The information that comes in from the first page is a creditcard form
> with the standard values (CCnumber, Expiry Date, Cardholder name etc).
>
> On page 2 an XMLrequest is done with a verification gateway (in this case
to
> check for enrolment in 3D-Secure), the result for that I get back on the
> same page and no redirection needs to be done.
>
> However AFTER the enrolment check with the gateway I need to send the user
> along to the 3rd page, which is a URL that is provided by the verification
> process.
> So to get there, as I need to pass a heap of data to that 3rd page I can
> either use GET or POST, but since the amount of data is fairly big the
only
> real option for this part seems POST.
>
> So it's not really about keeping the data persistent, it's more about the
> fact on how to push the user along correctly.
Is this what happens:
1. User enters payment data
2. XML check that payment data is OK
3. redirection to a page (on another site?), where for some reason the
payment data is required again (why?).
This sounds like a mixture of two ways of implementing online payments.
Forgive me if I'm telling you what you already know, but in general I
believe things work as follows:
1 The whole process from payment to verification takes place on the payment
provider's server
or
2. the whole thing takes place on your server, with some inline (XML in
this case) communication with your payment provider to verify the card
details.
You seem to be doing a bit of both, or have I misunderstood?
Why do you need the payment details on the third page? If you don't actually
need them, then the security problem goes away, and you can use the session
object or whatever to persist the customer data.
Does this help?
[Back to original message]
|