SSL Please Help Client Request Services!

WebDesignSlave

WebDesignSlave

Bass
I have a client that is getting a SSL for his domain, and wants to accept credit cards on his site. When you use a SSL for a domain, what about when the form is submitted and E-Mailed to him, is this information still Ecriptied during the transfer to his E-Mail address.

Our another option I am thinking about is if I want to store this customers infomation on the database after the form is filled out, till he retreives it, How would i go about doing this. He is using a .asp scrpt, do I just forward the form to a database or how is this done??
 
No, once it hits email its plaintext! DON'T do this, PLEASE, for the sake of your client.....please try to convince them to use a credit Card gateway as well, it will reduce fraud and reduce the rate charged per transaction as well.
 
The problem is this. he has a merchant account off board of the internet. So somehow he needs to get clients credit card numbers from his website in a safe manner, once retreive the credit card info can be deleted.

I was thinking about something like Oscommerce does and stored info on database is this safe?? Is there a way to do this with .asp.

Thanks Stephen, I am trying to get this as safe as possible for him.
 
As per most merchant agreements, this is actually a violation, unless you physcially swipe the card you are not to manually input.

I don't know his exact details, but he needs to check them CLOSELY, and see if he can get a merchant gateway through his provider, most offer this and it would remove a huge business liability from him.
 
Another thing you should do is have a note when someone is entering their credit card info that it will be stored in a database.

you can encrypt the data (not SSL) using 3DES or some algorithm and then ur client needs to decrypt the data so he can do what ever he wants.

but like stephen said, its a million times better to use a realtime service and this way you don't have to store the credit care details.
 
We do a similar thing with some private information our client collects.
When a person submits info via a form, the info is encrypted (using PGP), stored in the database, then an email is sent to the client notifying them that there's info in the database. then they go login and view it.
There's no way to send email securely unless you have control over the email servers and web servers.

-ross
 
wotech said:
We do a similar thing with some private information our client collects.
When a person submits info via a form, the info is encrypted (using PGP), stored in the database, then an email is sent to the client notifying them that there's info in the database. then they go login and view it.
There's no way to send email securely unless you have control over the email servers and web servers.

-ross
Click to expand...

I also have a client that manually inputs his CC charges via a CC machine at his business... he originally just took phone orders that way (nothing wrong with doing it that way.).

His orders are stored securely in a database and an email notifies him when there are orders waiting to be processed, and he just logs in securely to the website.
 
Of course storing it in a database using single key encryption such as 3DES is only marginally better than not encrypting at all because the key needs to be on the server somewhere. Its a bit like locking your house and leaving the key under the mat at the front door. I guess it does at least help in the situation where someone manages to hack into the database but not the web server.

I sounds like Ross is doing the right thing with PGP. Presumbly only the public key is on the server and the client uses his private key on his own computer after downloading the data. I'm no security expert but I think that is a reasonable way of doing it. There is nothing on the server that is able to decrypt it. There is still a bit of an issue in terms of being on a shared host and the brief period when the data exists in PHP variables or whatever language you're using and the possibility of it ending up on the machine's swap file or whatever.

Cheers
Another Ross
 
KCWebMonkey said:
His orders are stored securely in a database and an email notifies him when there are orders waiting to be processed, and he just logs in securely to the website.
Click to expand...
But how is the information stored on the server? Its probably best if you regard that as a rhetorical question and don't tell us but consider my post above.

Remember, SSL really only helps in terms of someone listening in on your network traffic. It does nothing in terms of secure storage.

Ross
 
With a real CC gateway, the credit card numbers aren't stored on your site unless your cart stores them. Some, like Zen Cart can store half the number and email the other half (optional config for this). I think X-Cart will do the same thing.

Tim
 
You must log in or register to reply here.
Back
Top