Payment System

leoric1928

Good day,

I am planning to develop an e-commerce application. After thinking through it, I found out that the system is like a shopping application like amazon, wherein the user needs to pay online either through credit card or paypal or whatever the means of paying he wants, which goes me to a halt. How am I suppose to develop this kind of application in PHP. I mean how can I verify the credit card, How will I deduct the amount and the same goes through with Paypal. Do I need a third party with this? Do I need to talk to a company? Hope somebody could give me a tutorial or article regarding how to implement this. Tnx

cbj4074

Setting up an eCommerce site is quite a project, and the steps you will have to take will vary with one bank/vendor to the next.

If you intend to allow for secure transactions (which every good eCommerce site should), you will need to obtain a security certificate that is issued through a registered authority (VeriSign is one example). The certificate must be installed on your Web server. Certificates typically cost around $300 annually and you will be required to pass an intensive screening process to obtain the certificate. VeriSign, for example, has been known to require you to pass a Standard & Poors (S&P) review before issuing you a certificate. S&P will check your credit history, among other things, before notifying VeriSign that you are elligible for a certificate. This process prevents individuals with a shady business history from obtaining a reputable certificate.

If you're not looking to spend a lot of money or involve a third party, what you can do is open a merchant account with the bank of your choice. Some banks are pickier than others with respect to whether or not they will grant you permission to conduct business through the merchant account online. My bank demanded that they see my website before giving me the account. They also wanted to know what goods I would be selling. Banks shoulder a fair amount of liability when issuing you such an account, so expect a rigorous screening before they give you an online seller's account.

Once you have the certificate and merchant account, you can request a credit card terminal (or save some money and call in your orders by touch-tone phone). You can link your online order form to a MySQL or comprable database of your choice and store order/payment information in the database. Further, you can set up your own PHP page that will pull that information into a legible format for viewing in a Web browser to read the information and call it into your merchant processing account or type it into your credit card terminal.

Does that help get you on track?

AstroTeg

I would HIGHLY recommend staying away from storing any data in the database that is credit card related (mainly the credit card number). From a security standpoint, a thug can't get much if there's not much there to get.

IF you're still stuck on the idea of storing the credit card numbers in a database, then:

The card numbers must be encrypted IN the database.

Any where you go to access those cards must be using an SSL connection. So you'd need to use SSL to get the card number from the user, but you'll need SSL to display the card number for when you punch it in.

Emailing is just as bad, if not worse. There's no SSL involved when the email gets transferred. So you'd definitely need to encrypt the card numbers.

But its a LOT easier to (and less stressful) to leave the credit card numbers out of the database (the trick here is your code HAS to be rock solid). This means you'd have to use a payment gateway (its really not that difficult to do as long as you can read directions and specifications). Ideally, you'll want to handle the credit card number as quickly and as little as possible.

The payment gateway will have their approval process as well, but just follow their directions and its not rough.

You may want to look into mod10 number checking. This is what the credit card companies use to build and validate a card number (its sort of like a CRC check). You'll also want to look at the number qualifications for the cards you'll be accepting. If Visa's numbers always start with 4, then have your code check if the card number starts with 4 and the user selected Visa as their payment option (this is one additional form of credit card fraud checking - it can be defeated, but its one additional hurdle for someone to work around). Also checking what is a valid length for a particular flavor of a card can be very helpful as well. It verifies the user entered a properly formed CC number and it wasn't a data entry issue. In your live code, you'll probably want to have your code check for the test card numbers and make sure someone doesn't enter one of those (usually the payment gateway is good enough to bounce those but the more checking you do, the safer you'll be from fraud).