Re: [PHP] https and Credit Cards
You are right - Decline the job, you don't want any credit-card stealing on your head On Wed, Apr 15, 2009 at 1:10 PM, Richard Heyes wrote: > Hi, > > > To add to what others have said: CC processors with which I have worked > will > > audit your site *before* certifying your site to accept CC information. > In > > other words, if you don't do SSL, you won't be *allowed* to process > cards. > > FWIW, companies exist that will host your "buy" page(s), so you don't > end up with the hassle of buying and installing your own SSL > certificate. > > -- > Richard Heyes > > HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: > http://www.rgraph.net (Updated April 11th) > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] https and Credit Cards
Hi, > To add to what others have said: CC processors with which I have worked will > audit your site *before* certifying your site to accept CC information. In > other words, if you don't do SSL, you won't be *allowed* to process cards. FWIW, companies exist that will host your "buy" page(s), so you don't end up with the hassle of buying and installing your own SSL certificate. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.net (Updated April 11th) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] https and Credit Cards
On Apr 13, 2009, at 10:19 PM, Skip Evans wrote: But doesn't also the form need to be secure since you're sending CC information from that form back to the web site's server? That's what I've always assumed. I need some opinions on this, and if I'm right I think the client will defer to a few more votes. To add to what others have said: CC processors with which I have worked will audit your site *before* certifying your site to accept CC information. In other words, if you don't do SSL, you won't be *allowed* to process cards. Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] https and Credit Cards
Sounds like your client wants to end up listed in a Terminated Merchant File. On Mon, Apr 13, 2009 at 11:19 PM, Skip Evans wrote: > Hey all, > > I've always put any forms that collect credit card information behind a > secure connection, https, figuring that sending that information from the > client browser to the server should be secure, but I'm having convincing a > client that it is necessary. > > He instead insists that only the call to the credit card processor's server > needs to be secure and of course the processor supplies the connection > there. > > But doesn't also the form need to be secure since you're sending CC > information from that form back to the web site's server? > > That's what I've always assumed. > > I need some opinions on this, and if I'm right I think the client will defer > to a few more votes. > > -- > > Skip Evans > Big Sky Penguin, LLC > 503 S Baldwin St, #1 > Madison WI 53703 > 608.250.2720 > http://bigskypenguin.com > > Those of you who believe in > telekinesis, raise my hand. > -- Kurt Vonnegut > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Leonard Burton, N9URK http://www.jiffyslides.com serv...@jiffyslides.com leonardbur...@gmail.com "The prolonged evacuation would have dramatically affected the survivability of the occupants." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] https and Credit Cards
On Mon, Apr 13, 2009 at 11:19 PM, Skip Evans wrote: > Hey all, > > I've always put any forms that collect credit card information behind a > secure connection, https, figuring that sending that information from the > client browser to the server should be secure, but I'm having convincing a > client that it is necessary. > > He instead insists that only the call to the credit card processor's server > needs to be secure and of course the processor supplies the connection > there. > > But doesn't also the form need to be secure since you're sending CC > information from that form back to the web site's server? > > That's what I've always assumed. > > I need some opinions on this, and if I'm right I think the client will defer > to a few more votes. > > -- It is absolutely essential. The form itself should be encrypted using SSL, and it should likewise only accept data that has been encrypted. If not, smart consumers will simply purchase elsewhere because they know their information is not being protected. In addition to lost sales, your client (and possibly you) could also get hit on the other end with penalties, increased processing fees, or loss of privileges from his payment processor if they find out that the site is not securing cardholder information. You (and your client) should read up on PCI compiance. http://www.pcicomplianceguide.org/ Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] https and Credit Cards
Hi, > I've always put any forms that collect credit card information behind a > secure connection, https, figuring that sending that information from the > client browser to the server should be secure, but I'm having convincing a > client that it is necessary. > > He instead insists that only the call to the credit card processor's server > needs to be secure and of course the processor supplies the connection > there. > > But doesn't also the form need to be secure since you're sending CC > information from that form back to the web site's server? Yes. Any connection to you where your punter supplies CC details should be secure. If the punters ISP runs a transparent proxy for example, then these details could be easily captured if not sent over a secure connection. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.net (Updated April 11th) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] https and Credit Cards
On Mon, Apr 13, 2009 at 10:19:34PM -0500, Skip Evans wrote: > Hey all, > > I've always put any forms that collect credit card information > behind a secure connection, https, figuring that sending that > information from the client browser to the server should be > secure, but I'm having convincing a client that it is necessary. > > He instead insists that only the call to the credit card > processor's server needs to be secure and of course the > processor supplies the connection there. > > But doesn't also the form need to be secure since you're > sending CC information from that form back to the web site's > server? > > That's what I've always assumed. > > I need some opinions on this, and if I'm right I think the > client will defer to a few more votes. You're absolutely right, no question, and for exactly the reasons you give. The path back to the server from the client is unencrypted if you don't use https, and the credit card information is in the clear when transmitted. In fact, if I were a hacker and found out that you were doing this, I'd make it my business to hijack that connection so I could transparently capture credit card information. I mean, for a hacker, that's just too sweet a setup. Incidentally, if he insists, I'd decline the job. Even if he signed waiver after waiver to absolve you of responsibility (which I'd make him sign), he could still go after you later when the consequences hit. Let some less ethical coder do it the way he wants. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php