h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

Okay folks, here's one for us all to sound board off...

The company I'm at has decided to look into taking payment over the 'net by credit card.

We've already got a pdq (swipe) machine here, so one option is to encrypt the card numbers from a web form and then maually enter them in at this end. Although, as yu can imagine, there's hardly any point in doing that.

So... all and any ideas on taking credit card payments over the 'net please?

Most Internet credit card transactions are handeled though SSL and then passed onto the bank strait away, I belive the recomendation was to keep half the number as a refrance but no more, for security reasons.

The company I work at has looked into it as well, but because of the costs involved we have decided to start with a basic log in, order system for regered shoppers that we can invoice

-- DoctorMO --

We store the card details on a secured server for our clients, and then when they order something the idea is to then pump their card details to the bank to claim the money.

Should be straight forward, but it's looking exspensive.

No, I hear SSL isn't cheap

As I see it, from a customer's point of view, (I've used Gameplay and Amazon dot co dot uk's) the user registers (saves storing stuff in cookies or Sessions as guest info - I think it's more safe to have the user register and just call the info from the DB, but then again I'm not completely sure of anything to do with it from the backend point of view ), and then orders something, putting in their Card number and so forth..

When the user returns, ie: to track their delivery, the only sensitive data called from the database is decrypted, but asterisked out or not shown at all, bar the last few numbers. For instance, Say my card number was 1234 5678 9876 5432, I would be told that my Card number is: **** **** *** 65432, at least, that's the way Amazon work it. Gameplay, to my recollection uses SSL but is less secure in showing sensitive information, they would say, on their account page.

You are: Mr. Smith.
You live at: 42 Don't panic lane
Betelgeuse V
Etc...

Your card details are: Galactibank LTD Visa, 1234 5678 9876 5432..

Even telephone and other contact details are up there, and finally, they say, at the foot of the page, "If this is not you, click here to log out" system...

Sounds like a great system

We're okay with the SSLs, we've got a few kicking around that we don't use.

Cool

All I can say is good luck, and don't be foolish with sensitive data like the Gamplay programmer(s)

What happened there?

What happened with the gameplay system? They treated personal, sensitive information like Home address, contact details, Credit card information and details as if they were a nickname or some other insensitive information... It's like having your bbc/h2g2 password displayed in your h2g2 nickname!

Not that very many researchers would login as you except to change your password and inform you, to prevent any passing by hackers gaining access

I resent that usage of the word "hacker". Have you read anything about hacker ethic? I would highly recommend 2600 as reading material. Hacking is about figuring out how stuff works. Rather than saying "passing hacker", I would say "passing miscreant". Real hackers don't do stuff like this. Actually I figure a real hacker would be more likely to change your password and inform you.

Oh, and regarding Credit Card transactions, there are a number of companies that allow you to host credit card payments on their system to avoid having to roll your own. Shopping carts and Credit Cards have been done over and over and over on the Internet. Avoid the pitfalls. Let someone else who has done it before build yours / teach you how.

I know what a *real* hacker is, Ion, but I didn't want to cause confusion by saying, for instance 'cracker' or less pleasant terms

I agree - In two professional hosting packages from two different companies, shopping carts have been available as part of the package, and both really are not very good, if that's what you're getting at - the ready made cart programs aren't too great - Also, It'd be best anyway to have one custom built

I'm supposed to be the one building it

I agree with Ion. It's best to stick with a tried-and-true system. You don't want to alienate your paying customers when some obscure bug in a system you design becomes apparent. Something like WebObjects probably has pre-built shopping carts/credit card approval and only runs about $500 (I think - that might be educational pricing), and I'm sure there are others based on PHP, perl, or whatever.

The good ready made ones must come at a price then

Based on PHP isn't a problem really.

PHP is the lighthouse in the fog of programming woes

Tell me about it. I was employed here as a PHP coder, but am now having to code .net

I have no idea if this is any good, or if it does what you need:
http://www.phpshop.org/

There are probably others. But doesn't Micro$oft's ".net" stuff come with everything you need for the task?

Hadn't thought about checking that

.net?!

I picked up at least the basics of PHP in a matter of minutes (But then I was familiar with the way it works from the similarities it shares with javaScript. Actually Functioining being a disimilarity )