Hi, > I've always put any forms that collect credit card information behind a > secure connection, https, figuring that sending that information from the > client browser to the server should be secure, but I'm having convincing a > client that it is necessary. > > He instead insists that only the call to the credit card processor's server > needs to be secure and of course the processor supplies the connection > there. > > But doesn't also the form need to be secure since you're sending CC > information from that form back to the web site's server?
Yes. Any connection to you where your punter supplies CC details should be secure. If the punters ISP runs a transparent proxy for example, then these details could be easily captured if not sent over a secure connection. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.net (Updated April 11th) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php