Thanks Matt, Preferably I would like to encrypt the CC numbers but I really don't know how to go about this. Any suggestions? And can I de-crypt the number if needed?
With the Card API that I'm using, it will also give immediate feedback on the pre-authorizing same as a normal transaction. So live feedback I not really an issue. I am just not sure which is better. We sale candles and I'm not sure if it would be right to charge the customer's card if say we are out of stock on something. Usually we process their cards when we ship the merchandise. With that being said, I guess it may not matter as I'm thinking about it, I usually get charged immediately for a magazine subscription even though it can take a month or two to get the actual magazine. Neal Bailey Internet Marketing Manager E-mail: [EMAIL PROTECTED] -----Original Message----- From: Matthew Woodward [mailto:[EMAIL PROTECTED] Sent: Monday, March 08, 2004 11:34 AM To: [EMAIL PROTECTED] Subject: RE: Credit Cards - Best Practices In general when I deal with credit cards I absolutely recommend that unless someone is on a dedicated server in an extremely secure environment (their own firewall, the whole works), they should never store credit card information, even on a temporary basis. You're opening yourself up to too much liability otherwise IMO. Even if you are in a secure environment, you still likely want to somehow obfuscate or encrypt the CC numbers in the database the second they get inserted. If someone hacks in the CC numbers shouldn't just be sitting there for the hacker to see. In general for retail stuff I do the CC processing right when the buyer hits the "buy" button, just because then they get immediate feedback if their CC gets declined or if there's some other problem with the order. I can definitely see how if you were doing high-volume stuff the batch processing might be the way to go though. Just depends on the situation. I typically use Verisign Payflow Pro and haven't ever run into any issues with doing one-off transactions, but I haven't done any huge volume e-commerce sites either. HTH, Matt ------------------------- Matthew P. Woodward [EMAIL PROTECTED] ----Original Message Follows---- From: "Bailey, Neal" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Credit Cards - Best Practices Date: Mon, 8 Mar 2004 11:11:47 -0600 Hello CFers... I was wondering what are the best practices for credit card processing over the web. Should you pre-authorize a customer's card during check out and then run a batch transaction at the end of the day? Or should you run the card as a final sale and gather the funds immediately. Just as I have heard people doing it both ways and I am in the process of converting my cart over to an automatic Card processor API. What are the pros and cons of both... Also I have noticed that many shopping carts store their Credit card info in the database. I have a little utility (MS Access) that transfers the customer's info to my system at home and then deletes all credit card info. This usually runs twice a day. Is there a better way to keep the card info secure? Thanks Neal Bailey Internet Marketing Manager E-mail: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] _________________________________________________________________ Create a Job Alert on MSN Careers and enter for a chance to win $1000! http://msn.careerbuilder.com/promo/kaday.htm?siteid=CBMSN_1K&sc_extcmp=JS_JA Sweep_MSNHotm2 ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org
