View Full Version : Accepting credit cards via a form & SSL

04-27-2007, 03:43 PM

I'm trying to set-up a client's website so they can accept payment for their service over the Internet. The problem is that I've never actually set-up a site for e-commerce before, but I'm familiar enough with web development to know basically what's needed (SSL, merchant account, shopping cart). What I need is someone to confirm that the following thoughts on this are correct, or tell me I have no idea what I'm talking about. :)

Here's the situation: my client already has a merchant account and the ability to process credit cards when the card is not actually present (for example, via telephone.) I've installed Westhost's shared SSL certificate. Also, since my client's are only providing a single service, they don't need a shopping cart interface.

Really, in my limited view, all that's needed is a form that collects the customer's personal and credit card information and sends it to the client securely. My thought was that I could just run the form through the shared SSL, and then when the form results arrive in my client's email inbox they could process the credit card through their office terminal as if it were a telephone sale.

However, would this offer the same level of security as it would if we used the Internet processing service our merchant account provider offers? And what about when the email is being transferred from the server to my client's inbox? Are there other security measures we would need to take to encrypt this transfer as well?

Many thanks to anyone who can give me some insight on this, or straighten out any backward thinking. :)

04-27-2007, 04:50 PM
I don't have much experience with this but I am pretty sure that the email would not be secure. In other words anyone could intercept the CC information between the server and their computer while in route.

04-27-2007, 05:22 PM
Bad idea! Even assuming the email is only being delivered to the localhost, the email will still be stored and possibly transfered in plain text. This is not only a violation of the pci dss guidelines (https://www.pcisecuritystandards.org/), but it also displays a clear disregard for your customer's privacy and financial security. ANY other solution than the one you've described would be better-- whether it's using PayPal or a full shopping cart system for the one service you offer.

A better idea would be to collect the contact information from the customer, and then contact them via telephone to request their payment information when you're ready to process the order. Else, contact the current merchant account provider, and ask if their accounts are compatible with any online/ip payment gateways and, if they are, find out which one(s). Some gateways, like Authorize.net, have simple integration methods that allow you to process/handle/record the payments on their website.

04-28-2007, 12:46 AM
Thanks for the replies. Now I have some ammunition to go to my client with and convince them that there is no other way to accept credit cards via their website, other than to pay their current merchant account provider to process the transactions online. They've been hounding me to find a different/cheaper way (besides PayPal) and I told them I'd work on it. Now I can tell them sorry, there just aren't any other options.

Wow, I feel my headache fading already...

Thanks again!

visible soul
05-04-2007, 09:55 AM
Mal's shopping cart (http://www.mals-e.com/) is a popular hosted cart that will store the credit card numbers for you in encrypted form. There's a free plan available. It works in a similar way to the Paypal shopping cart where you simply add "Buy Now" buttons to your web pages.

Payment processing options

I don't process credit cards. The standard free account saves credit card data (encrypted) for you to pick up from Admin and process how you like. The free account also supports card payments by:

* Paypal standard (not Pro)
* Nochex - United Kingdom
* Paymate - Australia and New Zealand
* Moneybookers - Europe

from: http://www.mals-e.com/intro.php


12-03-2007, 12:27 AM
It should be possible to create a secure form on the website that would collect customer information, including payment information, and then write that info to a secure file (flatfile or database) which could then be accessed securely by your client via the web in order to retrieve that information. It would not require a shopping cart. That's how it has been done on a lot of websites for many years.

Also, Linkpoint and other Gateway services often provide a secure form that can be linked to from any website and used to process credit card transactions through their service. It is completely secure and it is fully customizable so it can be made to match the rest of the website.