Check out futurepay from worldpay. The basic flow is: Customer buys something. Goes to the PSP like any other shop, however you tell the PSP this is *futurepay* agreement and the card details are stored. Next time the customer buys something, you just use a callback to Worldpay with the customer's FuturePay agreement ID, and they're billed. All this is explained on WP's pages, or you can talk to a representative who will be more than happy to convince you that FP is what you need ;-)
I'm vaguely aware that a similar service is provided by SecPay and PayPal, but I've never personally integrated it. -Rob PS. You'd give a private key to a *client* ?! What are you thinking!!! You just know he's going to intricately print it onto a post-it note and stick it on his monitor :-P citizenkahn wrote: > Actually, I'm a little confused. Clearly the storage of this kind of > personal information is a bad thing. The workflow should either > eliminate it at best or minimize it/protect it at worst. In this > situation, the order placement and order processing will be shifted in > time because order fulfillment will be a manual task. In this work > flow the card number must be kept somewhere between the time of receipt > and processing. I assume that PSPs allow for this kind of time > shifting of processing and store the number in a protected fashion. > > If they do not, I cannot find an all-in-one processor for real store > and online store together or I cannot convince my store-owner that such > a thing is the right solution can someone explain why the following is > so dangerous: > > With public/private key encryption the public key is necessary for the > encryption and decryption requires the private key. If I force the > store owner to authenticate once on to the store's admin interface > connecting via SSL I should be able to be assured that the all data > passed on the connection is protected. Therefore, if I then require > that the owner provide the private key in order to process each > transaction and the private key is never stored on the server, then > isn't all server based data encrypted with the public key safe? > Further more, once the order has been processed I could void out all > but the last 4 digits. > > In this way wouldn't I be limiting the lifecycle for this data and > protecting it while it does exist? Wouldn't this be similar to the > method of the PSPs? > > That being said, the choice of who protects the date a PSP with a > security staff or me would favor the PSP so this is somewhat academic. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---
