On Mon, 4 Oct 2004 14:49:44 -0700, Ed Lazor <[EMAIL PROTECTED]> wrote: > I'm looking at online stores and it seems like a lot of them maintain copies > of credit card numbers. Is this true? That seems like a "bad thing" to me, > especially in terms of liability and risk of hackers. On the flip side, it > seems like there are legitimate reasons. For example, if you bill the > customer when products ship, rather than when the order is received. Or, if > the customer decides to have instock items ship now and back ordered items > ship when they arrive - which results in two shipping charges. > > How do you guys handle this?
Some other things to consider... Never display the full credit card number on the front-end of your application. It's a common practice to display the last 4 digits of the card so the customer can see which card is going to be charged. I store those numbers in a separate field so I never have to send the entire card number to the front-end application. You may want to erase the stored credit card numbers (attached to the user accounts, not to the orders) in the event that the customer uses your 'lost password' functionality. This will help minimize the threat from a hijacked account, and some customers appreciate the extra dose of security. Along those lines, make sure you have the credit card numbers attached to the order, and not simply to the customer account. I once had the pleasure of maintaining a site that had CC's stored with the customer account. I ended up with a situation where 2 orders were placed by one customer with different credit cards in a short period of time. Since the first order hadn't shipped when the second was placed, the card number on the first order was overwritten with the number from the second order. Messy! In conclusion, storing credit cards is an accepted feature by most customers these days. You'll want to have an opt out for those that don't wish it to be remembered when they log back in, but I can't imagine an E-Commerce application that doesn't store the credit card with the order. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php