Secure Credit Card Processing

n_wattam

Hi,

I have a website which sells products, but rather than using a 3rd party site like paypal etc etc, to take my payments i want to make use of my shop terminal instead.

This said i need to collected the credit card details on my website and then store them safely.

I have seen one contribute for oscommerce, which stores half the credit card numbers in a MYSQL and then emails the other half.

My questions are, is there a php script out there which will collect and manage credit card details?

If i was to make my own, how would i go about this, in the sence of how does the SSL work? do you have to process information different in forms? to work along side the SSL?

any other information would be greatfull.

mpb001

Well if you have to ask how to do it then I'd look into the legal ramifications of what would happen if it goes wrong and these details which you have stored went awol (hacked etc).

Might be worth reading..
http://www.unixwiz.net/techtips/secure-cc.html

I wouldn't personally want that risk myself as being sued is not what I am ever after, it's also more responsibility than I want as there is no reason to keep then. Though if you really want to do one click shopping like amazon you might want to hunt around as I have heard services offer it.

Most services like Protx offer a direct payment API which you can talk to behind the scenes with via curl so people do make the order on your site but you never keep any credit card details. They will give you all the basic code on how it works and give you a test area to play with. It also locks to the server IP so payments cannot be made outside of it.

You can also do refunds etc by the api in your own back end. Though be careful using your own card to test as the bank will lock the card down if tests are repeated.

For SSL you will have to purchase a certificate from comodo etc will will authenticate your site to the user when you bounce them to https:// for the payment part. If it does not verify the user gets a big warning.

All data is transparently encrypted between the browser and the server so nothing else changes.

Roger_Ramjet

You will be breaking your contract with your merchant acquirer if you collect cc details remotely and then process them through a local terminal. Your contract will be for 'card holder present' transaction and you will be guilty of fraud if you use that to process remote transactions because the contract price and risk are calculated on the card holder being present not remote.

n_wattam

Yes i know what you mean, if anything goes wrong then it opens a SH*& Storm of things to follow.

I've used Both Protx and the other methods on the oscommerce script for a client. The oscommerce contrivute which took the CC details for processing manually use to split the card details into two parts, one part stored in the MySQL database and the other half emailed.

This was a security messure so the information was usless unless you gained access to both datasources.

The other thing i have read is in the UK at least you are ment to keep all CC information for 2 years, for things like charge backs etc.

I read some information on the SSL, and emailing. They say to make sure the email is processed on the same server, so the emails dont leave the server and sat waiting in some pop account waiting to be hacked.

Collecting the CC details my self would be a lot better, and i was thinking of splitting the details like the oscommerce contribute i talk about, but i still dont know if even that could cause issues for me down the line, so was looking for a script already out there to purchase so i would at lease have some course of action.

Roger_Ramjet

In the UK you are not required to keep cc details for anything - only your bank needs to do that. In fact, I have never allowed cc details to pass through a site at all, let alone retain them.

What you are talking about here is FRAUD. If your bank will not authorise you for internet processing then tough. If they will then do that. Get an internet account and then just use one of the reputable services like Worldpay or Secpay.

n_wattam

I didnt realise you couldnt do that. I think the best course of acction then is as you mention get an internet merchant account and the use a 3rd party service like world pay etc.

etully

Use GPG to encrypt them on the server and then email them. Keep the public key on the web server and the secret key on your local machine.

Since they are encrypted the instant that your web site accepts them, they don't sit in a pop mailbox waiting to be hacked.

SSL is not your solution because they have to sit on your server unencrypted until you get around to transferring them from the server to your local machine.

With these instructions, your only weakness is if someone figures out the root password to your web server where they can get in and install their own piece of software that copies the CC numbers before GPG gets a chance to encrypt them. To prevent this problem, make your web server inaccessible via FTP, only SSH with a certificate.

Roger_Ramjet

Avoid all that by using a quality Payment Service like Secpay etc. Use their secure server to host your payment page and let them take all the risk. If you opt for 3D Secure then fraud risk is transfered to the bank that issued the card.

My rant about doing CNP transactions when you have not first agreed and been authorised for them by your bank is a bit strong. I doubt the bank would actually try to prosecute you for fraud, but they will cancel your account and all facilities immediately if they catch you doing that. Even taking card details over the phone needs to be authorised first, let alone via internet.

In the UK you will need to retain all transaction details for the normal 4 years for the tax man/vat just like the rest of your accounts, but the actual card numbers are not part of that. If you do ever retain peoples card numbers then you open yourself up to all sorts of problems so just don't do it.

Weedpacket

Roger Ramjet wrote:
I doubt the bank would actually try to prosecute you for fraud, but they will cancel your account and all facilities immediately if they catch you doing that.

Not to mention, the relevant credit card companies are also likely to take a very dim view of proceedings that even smell like an attempt to work around or outside CISP.

TitanKing

I would never consider keep CC details, damn hell dude, save yourself the agony! This thread will soon be Googled, a hacker will see it and will take this as an opportunity to gain CC details from an "easy" target. Even companies like Paypal gets hacked 🙁 !

etully

Wait, I'm confused, this is a forum about programming, right?

Sure I take the safe way out as often as I can and let the established companies handle the dangerous stuff.

The OP's question was about how to handle the information, not about UK law or CC contracts or how to avoid having to learn about programming.

Security is hard but it's worth taking the time to learn to do it right. If you learn to do it such that you can handle CC's and then you wisely choose never to handle CC's then those skills you learned will help with other tasks like building login processes, building pay-per-download applications, and building forms with semi-sensitive data.

I have worked with professional programmers with 20 years experience who don't understand the difference between real security and the illusion of security. The tools exist for PHP programmers to implement CC grade security. Don't shy away from it just because you're buying into some myth that PHP is for amateurs making web sites with pictures of cute little pussy cats.

Roger_Ramjet

Tully, if you knew anything about security you would know that it is a specialist role. Just keeping up with the latest threats and defences is a full time job in itself. Even if you do know it all, unless you own the whole hosting infrastructure you have no guarantees that server admins are applying the security patches and fixes in a timely manner.
People used to ask how easy it is to do the sort of hacking they see in the movies. Easy, I would tell them: just subscribe to a good *NIX security bulletin and you'll get all the gen on the latest hole that has been discovered. Then go looking for servers whose admins are to lazy or stupid to apply the fix.

The only sensible and professional solution for an organisation or programmer who does not have the resources to employ their own dedicated security specialists is to outsource to organisations that do.

As to local laws and contracts - don't be stupid, of course they are important. If you knew how to do business analysis then you would know that the legislative environment is a fundamental input to the whole solution design and development process. Compliance, my friend, Compliance.

etully

Ramjet, if you knew anything about security you would know that it is the responsibility of every programmer. Just keeping up with normal security practices and defences is an important part of our job itself. Even if you do know it all, it's not unreasonable to assume that you own the whole hosting infrastructure and that you have guarantees that server admins are applying the security patches and fixes in a timely manner.
People used to ask how easy it is to protect themselves from the sort of hacking they see in the movies. Easy, I would tell them: just subscribe to a good programming security tutorial and you'll get all the information you need to be good at your job. Then you'll know that you are better off than the admins who are to lazy or stupid to learn to program correctly.

The only sensible and professional solution for an organisation or programmer is to become educated so that they can make sure that the security specialists they hire know what are talking about and also make sure that they are outsourcing to organisations that do.

As to local laws and contracts - don't be stupid, of course they are not what the OP was asking about. If you knew how to do business analysis then you would know that the legislative environment is well outside the scope of this forum - and legal advice in an anonymous forum is a waste of everyone's time. Competence, my friend, Competence.