Secure Credit Card Transactions using Coldfusion

Posted on 2005-04-04
Medium Priority
Last Modified: 2013-12-24
I have a form that I am submitting through email that requests for credit card numbers which I want sent via email to the company.  What, from your experience, is the simplest way to do this and still ensure a reasonably high sense of security for the customer.  I posted this under coldfusion because that's what I'm using, so if I have to use https, is it possible for someone to show me how.  Details are appreciated.
Question by:Eduski
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Accepted Solution

mmc98dl1 earned 300 total points
ID: 13704299
There is a lot of things to think about when it comes to credit card numbers and security. My preferred solution is to integrate with a company like www.worldpay.com or www.secpay.com and let them do all the processing and handling of that sensitive data.  It takes away the headache.

If you are using email, there is virtually zero in the way of security. If you have no choice, then make sure the email is sent only between servers on your company network, dont send that info across the internet or any public servers as it isnt encrypted or anything.

For the form and processing pages that collect the info you should use https - I recommend getting your certificate from www.thawte.com cheaper than verisign, but does the same job.

If you are hosting this site with a hosting company they should be able to help you set up the https.  To get good instructions on how to install a certificate let us know about your system, webserver etc.

Again, I must press on you that email is NOT the way to transfer credt card details.
LVL 17

Expert Comment

ID: 13705497
For email you can only use PGP to make it secure
And yes, email certainly is not the way to go...
LVL 35

Assisted Solution

mrichmon earned 200 total points
ID: 13708715
>> sent via email to the company

There is no way that it will be secure nor that the customer will feel even remotely secure if you send via email.

In fact you or the company can get sued if you send the information via email and it gets used for fraudulent purposes since you did not take any measures to ensure the security of the data.

I beleive the law says something like "good faith effort" which means that you did the best that you took reasonable measures to secure the data.  Email does not meet this standard.

Https is a good way to go.  Also the data should be encrypted in the database that you store it in.

If your company is accepting Visa or Mastercard then realize a few things:

1) They publish a security guide which you must follow.
2) If you do not they can suspend your company from accepting visa and mastercard branded credit cards.  This i not limited to online sales.  If you are suspended it means all sales - so if your company also has a physical store and you get caught in violation of the policies you could have your whole company - online and physical prevented from using those credit cards.

Here is a link to the Visa guide:

Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, the program is intended to protect Visa cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
The purpose of this video is to demonstrate how to manually back up a WordPress Database. This will be demonstrated using a Windows 8 PC. The Host used will be IPage.com Log into your Hosting account. IPage will be used for demonstration : Locat…
The purpose of this video is to demonstrate how to integrate Mailchimp with WordPress, by placing a Mailchimp signup form on a WordPress Page or Post. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchi…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question