Web Hosting Forum | Lunarpages

Author Topic: Providing Secure Transactions  (Read 2072 times)

Offline certif7

  • Newbie
  • *
  • Posts: 3
Providing Secure Transactions
« on: June 27, 2016, 10:25:34 AM »
I have a client whose business is providing educational seminars. Currently on my client's site, we have folks filling out a FormMail form to collect personal info and credit card data. This info and credit card data are emailed to my client to be processed, which is sometimes days (or weeks) later when enough folks have signed up for the seminar. The sign-up/payment page is hosted on a secure server, but we have concerns about the security of the generated email containing the credit card info.  Any suggestions on how to provide a secure transaction that may be processed at a later date instead of at the moment of signing up?

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6163
Re: Providing Secure Transactions
« Reply #1 on: June 27, 2016, 12:03:31 PM »
Ooooooh. Don't do that! credit card numbers via email are considered very insecure. If that data is ever stolen, and you and your client can't show that you were fully PCI-DSS compliant, you'll be hung out to dry. Handling credit card information is big business, and stealing credit card information is an even bigger business.

Assuming you become PCI-DSS compliant, what you have here is an ecommerce application where you don't charge the card until later (when enough have signed up to trigger the seminar's proceeding). Most ecommerce setups assume you will be charging right away. You may want to look into charging the card immediately, and then refunding if the seminar is canceled. You might also be able to accumulate authorizations on a secure server (PCI-DSS compliant), and then process them all at once (without emailing CC info).

Maybe you should be asking on an ecommerce forum, where secure payments are an important topic. There might be an ecommerce app + payment module that can do this sort of thing. I know there are some for repeating/recurring payments (e.g., monthly payment or quarterly donation) that might be adapted. In any case, my understanding is that emailing unencrypted CC numbers is always forbidden, even if split into multiple mailings. Possibly you can be allowed to do something with encrypted data, provided the key keeps changing? Is it even necessary to transfer the CC information (other than that the customer has authorized the charge) before the seminar gets the green light?
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline certif7

  • Newbie
  • *
  • Posts: 3
Re: Providing Secure Transactions
« Reply #2 on: June 27, 2016, 04:41:07 PM »
Do you think a service like Shopify would be a solution?

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6163
Re: Providing Secure Transactions
« Reply #3 on: June 27, 2016, 06:22:56 PM »
Possibly. I'm not familiar with this ecommerce offering, but you could ask them what kind of payment modules they offer. It's likely that they don't offer anything different from what payment modules you could get with a free platform like osCommerce, Zen Cart, etc., but it wouldn't hurt to ask. Considering that you already have some form of catalog and ordering (shopping cart) set up, to pay for a service like Shopify might be overkill. It may also not fit your product model of limited-time offers. I think you really only need to worry about the payment model, unless you find your current system unsatisfactory. As I said before, some sort of "recurring payment" authorization (limited to one payment) might be the cleanest setup.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline certif7

  • Newbie
  • *
  • Posts: 3
Re: Providing Secure Transactions
« Reply #4 on: June 28, 2016, 09:52:09 AM »
After discussing this with my client, they really want to cling to their current system and are asking if there is any way to secure the emails containing the credit card info.  Is there such a thing as secure email?  Are there services that provide secure email delivery?

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6163
Re: Providing Secure Transactions
« Reply #5 on: June 28, 2016, 01:07:03 PM »
Well, there are email setups which are supposedly secure (encrypted), so that part could be possible. Google "secure email" and start reading. Before committing to anything, make sure that kind of credit card handling meets PCI-DSS security standards. Since customer CC numbers are passing through your site, it has to meet those standards. In that case, why not have the server accepting the CC input also be the one that stores the CC numbers, rather than trying to find a secure way to email them?

Keep in mind that your server that is storing the credit card numbers needs to meet PCI-DSS standards too: physical accessibility, online (remote) accessibility, cryptography used, regular audits, etc. It ain't cheap, but it's even more expensive to be fined because you cut corners on financial information security. Then, once you decide to charge those stored cards, that process has to meet its own set of PCI-DSS standards in handling CC information.

You may want to step back and reconsider the whole payment business end-to-end, with input from your bank (merchant account). It may even be best to charge the card right away, using conventional methods (i.e., don't hang on to the card for future charging), and then refund for canceled courses.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

 

Share |