Re: [PHP] Question about handling credit cards
Could you provide more information, code example or a how to to do this.. Thanks On Mon, 04 Oct 2004 15:03:31 -0700, Matthew Fonda [EMAIL PROTECTED] wrote: The best way to store credit card numbers is to have them encrypted when they are stored in the database, and decrypted when they need to be used, that way it will be safer for the most part On Mon, 2004-10-04 at 14:49, Ed Lazor wrote: I'm looking at online stores and it seems like a lot of them maintain copies of credit card numbers. Is this true? That seems like a bad thing to me, especially in terms of liability and risk of hackers. On the flip side, it seems like there are legitimate reasons. For example, if you bill the customer when products ship, rather than when the order is received. Or, if the customer decides to have instock items ship now and back ordered items ship when they arrive - which results in two shipping charges. How do you guys handle this? -Ed -- Regards, Matthew Fonda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about handling credit cards
On Tue, 5 Oct 2004 12:29:53 -0400, Gary Hotko [EMAIL PROTECTED] wrote: Could you provide more information, code example or a how to to do this.. Have a look at the Mcrypt functions in PHP (you need to complie support for this extension to access these features): http://www.php.net/manual/en/ref.mcrypt.php Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about handling credit cards
On Mon, 4 Oct 2004 14:49:44 -0700, Ed Lazor [EMAIL PROTECTED] wrote: I'm looking at online stores and it seems like a lot of them maintain copies of credit card numbers. Is this true? That seems like a bad thing to me, especially in terms of liability and risk of hackers. On the flip side, it seems like there are legitimate reasons. For example, if you bill the customer when products ship, rather than when the order is received. Or, if the customer decides to have instock items ship now and back ordered items ship when they arrive - which results in two shipping charges. How do you guys handle this? Some other things to consider... Never display the full credit card number on the front-end of your application. It's a common practice to display the last 4 digits of the card so the customer can see which card is going to be charged. I store those numbers in a separate field so I never have to send the entire card number to the front-end application. You may want to erase the stored credit card numbers (attached to the user accounts, not to the orders) in the event that the customer uses your 'lost password' functionality. This will help minimize the threat from a hijacked account, and some customers appreciate the extra dose of security. Along those lines, make sure you have the credit card numbers attached to the order, and not simply to the customer account. I once had the pleasure of maintaining a site that had CC's stored with the customer account. I ended up with a situation where 2 orders were placed by one customer with different credit cards in a short period of time. Since the first order hadn't shipped when the second was placed, the card number on the first order was overwritten with the number from the second order. Messy! In conclusion, storing credit cards is an accepted feature by most customers these days. You'll want to have an opt out for those that don't wish it to be remembered when they log back in, but I can't imagine an E-Commerce application that doesn't store the credit card with the order. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about handling credit cards
The best way to store credit card numbers is to have them encrypted when they are stored in the database, and decrypted when they need to be used, that way it will be safer for the most part On Mon, 2004-10-04 at 14:49, Ed Lazor wrote: I'm looking at online stores and it seems like a lot of them maintain copies of credit card numbers. Is this true? That seems like a bad thing to me, especially in terms of liability and risk of hackers. On the flip side, it seems like there are legitimate reasons. For example, if you bill the customer when products ship, rather than when the order is received. Or, if the customer decides to have instock items ship now and back ordered items ship when they arrive - which results in two shipping charges. How do you guys handle this? -Ed -- Regards, Matthew Fonda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php