PHP Shoppingcart - Security and Credit Vendors to use?

reub77

I am not new to PHP, I've been using it for several years now. However I would not venture to call myself an expert. My expertise is more on the design side of websites as that is how I'm employed.

I do lots of side projects, and lately there has been great interest in building shoppingcarts or at least a method to do credit card transactions online.

I know enough to be able to build a simple cart but when it comes time to deal with credit cards I back away. There's a lot to know on the security side. I don't want to build something that will put my clients or their clients at risk.

So in summary, what techniques should I use or what examples should I refer to to ensure good security? And if I reside in Canada and so do all my clients, what companies are best to use to process the credit card transactions? What credit companies are best to use for all clients? Ranging from people who want to sell lots of items to people who want a simple way to have their clients renew subscriptions or memberships? Is it better to use PayPal? What would be easiest for the client? And how do I submit the cart data to the credit vendor? It would be easiest if the client just gets a deposit into their bank account or a cheque in the mail I suppose (no hastle training the clients how to use online applications to manage their money).

All advice would be appreciated. I am a novice at this aspect so please use terms I will understand.

Thanks

mtmosier

So in summary, what techniques should I use or what examples should I refer to to ensure good security?

First thing is to read all the requirements set by Visa. This also covers mastercard, and the rest as far as I know.

While reading through that you'll come across OWASP, which lays out how to secure your webapp. Visa requires you follow their top ten, but really you should read pretty much everything on that site.

Is it better to use PayPal?

Yes! You may have noticed the security requirements for merchants processing credit cards are rather lengthy and annoying. If you can avoid it do not accept or process the credit cards yourself.

And how do I submit the cart data to the credit vendor?

You use a gateway. Each has their own interface. Some require binaries (Versign's Payflow Pro), but most are just a simple xml integration.

It would be easiest if the client just gets a deposit into their bank account or a cheque in the mail I suppose (no hastle training the clients how to use online applications to manage their money).

Many of the credit card gateways support e-checks. You might want to look into that.