I just had a proposal from the finance department that they want to maybe take credit card payments over our website. I have a little understanding of it. Something to do with SSL? And I understand that there is a great risk to doing this.
Can anyone point me in the write direction so I can do a little research on this, or something explain the process to me and the dangerous of this.
Rich
check out Optimal Payments everything is on their site...adn yes you want ssl, very easy to implement...the one thing is that if you store the credit card number the complexity of the solution and the security constraints are greater(about 5 fold)
Yes you will need to get an SSL certificate. I use ones from GEO trust because they are significantly cheaper and easy to work with than Verisign and their companies. Creating a Certificate request is fairly easy. With GEOTrust it takes me about 10 minutes to create my request and get the key back from them. With Verisign it takes a few weeks and you may get yelled out by a mean person like I did once!
As far as accepting credit cards I sell Authorize.net accounts which is a pretty standard merchant provider. If you already have a merchant account you will need to get a gateway, which you will want to think of that as the swiping machine in the store. The gateway will talk to your account for you from your web site. From my experience if you have a merchant account with your Bank, then do not even ask them about this. One client had nations Bank want to create a custom API for them...6 months later they had not even got around to it, so we signed them up for the Authorizenet gateway and were live within 48 hours making $$$$.
As far as storing credit card #, do not do it if you can live without them. If you do store them, store them encrypted in your database and maybe even make it pass through two or more layers of encryption. How you encrypt is up to you. .NET supports some great encryption algorithms.
Finally it is a arrogant mistake to not accept PayPal. Set this up too, even if they think they will not need it, you would be surprised at what happens.
You will want to use a payment gateway such as paypal to process the Credit Card orders.
SSL will definitely be a requirement, as previously stated, and also, if you must store the credit card information, you will want to be sure to encrypt it (Microsoft's Enterprise Library offers a wonderful encryption block, and I believe SQL Server 2005 also has built in encryption by passing a key back and worth between your app and the sql server). Either way, when it comes to taking credit cards on the web, you can never be too secure IMO, and if you can create a solution that doesn't involve you storing a customers credit card information, it will be in your best interest.
Good luck!
Dave G.
That is some great info...
This is how I image it will work.
The person logs onto the website through a login form. Set a session variable for them... (time out in 30 mins). They click on a link (outstanding bills) and it shows a bill they need to pay.
Clock on a button that says "Pay Now", so it takes them to a page with the amount they owe. They need to fill out a credit card payment form
Name of Card, Card Number, Type of card, Secuity Code (4 digits on back of card) expiry date. Then they hit submit.
So what happens next and how does the SSL come into play?
Rich
Your payment processor (PayPal, PayFlowPro(Verisign)) should provide you with a ddl that you will reference in your code for the submission portion of your application. The required information is passed to the payment processor via a Secure Socket Link, card number, expire date, name and amount. The SSL provides the encryption and security on your site to talk for transmitting credit card transactions online.
Hope that helps...
That is great info!... Does it matter if it is a regular login form?? That verifies username and password against a database or do I have to use some secure login??
You do not necessarily need a log in form, unless you wish to store the users info such as an approval number, pay date, etc.(like those above have suggested I would not store the credit card number). The secured page or pages for the credit card transaction should reside on a secure website(protected by your SSL). The information entered by your users for the transactions should be protected as well as the actual process to make the transaction through your payment processor.
Hope that helps...
0 comments:
Post a Comment