The Underscore Archives

> I've got a client that wants to take orders over the interweb but
> process the card details themselves, so I need to give them a secure
> method for retrieving the card details that customers have submitted.
>
> I've done this before by encrypting with PGP, sending as an email and
> they can then decrypt using the plugin for their email client.
>
> Does anyone know of a service like this that I can integrate with, or
> maybe where they can log in over SSL to retrieve the details?  I'd
> rather just leave the encryption and storage of sensitive data down to
> the experts.

I think you'll get into a fair amount of trouble if you're planning on
storing the entire card number on a web accessible server, it would be
considered a major risk by the banks.

why does your client want to process the card themselves? By doing so
they become liable for all fraudulent transactions etc (that's if the
bank gives the green light!).

You could take the card details over SSL, split the number up, email
half and store the other half on the server - at least that way the
number is never whole in the same place. This doesn't stop a dodgy
employee from using the card details though (amongst other things!).

I'd avoid something like this personally, if the site is publicly
viewable online, why not do what users expect and process the payment
through a 3rd party.

cheers,

jon

-- 


jon bennett
t: +44 (0) 1225 341 039 w: http://www.jben.net/
iChat (AIM): jbendotnet Skype: jon-bennett