Re: [PHP] https and Credit Cards

2009-04-15 Thread Richard Heyes
Hi,

 To add to what others have said: CC processors with which I have worked will
 audit your site *before* certifying your site to accept CC information. In
 other words, if you don't do SSL, you won't be *allowed* to process cards.

FWIW, companies exist that will host your buy page(s), so  you don't
end up with the hassle of buying and installing your own SSL
certificate.

-- 
Richard Heyes

HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari:
http://www.rgraph.net (Updated April 11th)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] https and Credit Cards

2009-04-15 Thread דניאל דנון
You are right - Decline the job, you don't want any credit-card stealing on
your head

On Wed, Apr 15, 2009 at 1:10 PM, Richard Heyes rich...@php.net wrote:

 Hi,

  To add to what others have said: CC processors with which I have worked
 will
  audit your site *before* certifying your site to accept CC information.
 In
  other words, if you don't do SSL, you won't be *allowed* to process
 cards.

 FWIW, companies exist that will host your buy page(s), so  you don't
 end up with the hassle of buying and installing your own SSL
 certificate.

 --
 Richard Heyes

 HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari:
 http://www.rgraph.net (Updated April 11th)

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] https and Credit Cards

2009-04-14 Thread Richard Heyes
Hi,

 I've always put any forms that collect credit card information behind a
 secure connection, https, figuring that sending that information from the
 client browser to the server should be secure, but I'm having convincing a
 client that it is necessary.

 He instead insists that only the call to the credit card processor's server
 needs to be secure and of course the processor supplies the connection
 there.

 But doesn't also the form need to be secure since you're sending CC
 information from that form back to the web site's server?

Yes. Any connection to you where your punter supplies CC details
should be secure. If the punters ISP runs a transparent proxy for
example, then these details could be easily captured if not sent over
a secure connection.

-- 
Richard Heyes

HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari:
http://www.rgraph.net (Updated April 11th)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] https and Credit Cards

2009-04-14 Thread Andrew Ballard
On Mon, Apr 13, 2009 at 11:19 PM, Skip Evans s...@bigskypenguin.com wrote:
 Hey all,

 I've always put any forms that collect credit card information behind a
 secure connection, https, figuring that sending that information from the
 client browser to the server should be secure, but I'm having convincing a
 client that it is necessary.

 He instead insists that only the call to the credit card processor's server
 needs to be secure and of course the processor supplies the connection
 there.

 But doesn't also the form need to be secure since you're sending CC
 information from that form back to the web site's server?

 That's what I've always assumed.

 I need some opinions on this, and if I'm right I think the client will defer
 to a few more votes.

 --

It is absolutely essential. The form itself should be encrypted using
SSL, and it should likewise only accept data that has been encrypted.
If not, smart consumers will simply purchase elsewhere because they
know their information is not being protected. In addition to lost
sales, your client (and possibly you) could also get hit on the other
end with penalties, increased processing fees, or loss of privileges
from his payment processor if they find out that the site is not
securing cardholder information.

You (and your client) should read up on PCI compiance.
http://www.pcicomplianceguide.org/

Andrew

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] https and Credit Cards

2009-04-14 Thread Leonard Burton
Sounds like your client wants to end up listed in a Terminated Merchant File.


On Mon, Apr 13, 2009 at 11:19 PM, Skip Evans s...@bigskypenguin.com wrote:
 Hey all,

 I've always put any forms that collect credit card information behind a
 secure connection, https, figuring that sending that information from the
 client browser to the server should be secure, but I'm having convincing a
 client that it is necessary.

 He instead insists that only the call to the credit card processor's server
 needs to be secure and of course the processor supplies the connection
 there.

 But doesn't also the form need to be secure since you're sending CC
 information from that form back to the web site's server?

 That's what I've always assumed.

 I need some opinions on this, and if I'm right I think the client will defer
 to a few more votes.

 --
 
 Skip Evans
 Big Sky Penguin, LLC
 503 S Baldwin St, #1
 Madison WI 53703
 608.250.2720
 http://bigskypenguin.com
 
 Those of you who believe in
 telekinesis, raise my hand.
  -- Kurt Vonnegut

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php





-- 
Leonard Burton, N9URK
http://www.jiffyslides.com
serv...@jiffyslides.com
leonardbur...@gmail.com

The prolonged evacuation would have dramatically affected the
survivability of the occupants.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] https and Credit Cards

2009-04-14 Thread phphelp -- kbk

On Apr 13, 2009, at 10:19 PM, Skip Evans wrote:

But doesn't also the form need to be secure since you're sending CC  
information from that form back to the web site's server?


That's what I've always assumed.

I need some opinions on this, and if I'm right I think the client  
will defer to a few more votes.


To add to what others have said: CC processors with which I have  
worked will audit your site *before* certifying your site to accept  
CC information. In other words, if you don't do SSL, you won't be  
*allowed* to process cards.


Ken



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] https and Credit Cards

2009-04-13 Thread Paul M Foster
On Mon, Apr 13, 2009 at 10:19:34PM -0500, Skip Evans wrote:

 Hey all,

 I've always put any forms that collect credit card information
 behind a secure connection, https, figuring that sending that
 information from the client browser to the server should be
 secure, but I'm having convincing a client that it is necessary.

 He instead insists that only the call to the credit card
 processor's server needs to be secure and of course the
 processor supplies the connection there.

 But doesn't also the form need to be secure since you're
 sending CC information from that form back to the web site's
 server?

 That's what I've always assumed.

 I need some opinions on this, and if I'm right I think the
 client will defer to a few more votes.

You're absolutely right, no question, and for exactly the reasons you
give. The path back to the server from the client is unencrypted if you
don't use https, and the credit card information is in the clear when
transmitted.

In fact, if I were a hacker and found out that you were doing this, I'd
make it my business to hijack that connection so I could transparently
capture credit card information. I mean, for a hacker, that's just too
sweet a setup.

Incidentally, if he insists, I'd decline the job. Even if he signed
waiver after waiver to absolve you of responsibility (which I'd make him
sign), he could still go after you later when the consequences hit. Let
some less ethical coder do it the way he wants.

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php