What SSL or Security to use. Please help with this process.

Posted on 2006-03-26
Medium Priority
Last Modified: 2010-04-11
I have a customer that wants to sell 2 or 3 items.  They have a credit card machine in their office and just want to receive orders via email or have a place to log in to get orders.

We want security when typing in credit card information. But we want to be able to process the credit card information at the office.  Can this be done?

Would I create an order page with their order, then create another page with their name address and so-on. Then the 3rd page would go to the secure server and they would type in credit card info, then get emailed to my client?   Or am I missing the boat here?

What service should I use?

Question by:paulbarstool
LVL 81

Expert Comment

ID: 16297719
Lets get this straight.  You would like to create the illusion for the end user that the information they provide can not be observed during their transaction (from the browser to the server).  Then the information in clear text will be emailed to your client who would process the transaction on their Credit Card machine.

What options are available to you/your client?
Database? online payment processor? etc.  
LVL 19

Assisted Solution

CoccoBill earned 150 total points
ID: 16298166
I guess you could do it like that, but as arnold already points out you should absolutely secure the email traffic, for example using PGP (http://www.pgp.com/) or the free alternative GnuPG (http://www.gnupg.org/). Using these you can encrypt and digitally sign the messages taking care of confidentiality, authenticity and nonrepudiation. Unfortunately these alone still won't guarantee message integrity.
LVL 32

Accepted Solution

jhance earned 450 total points
ID: 16299152
There are at least 3 different security issues here and all need to be dealt with in order to comply with Visa/MC and other CC company rules on the handling of card data.  But you should also have you friend check with his card processing company and be sure that he is authorized to accept "card not present" order and/or "internet orders".  Not all merchant accounts are enabled for this.  Violating the merchant account agreement can, among other things, cause the account to be terminated and open him up to signifncant fines.

1) You must secure the web connection.  The only accepted way to do this is via SSL.  You must obtain an SSL Server Certificate for your web server so that your customers can open an "https" connection to the page that accepts the credit card information.  You get an SSL certificate from one of several suppliers, VeriSign, Thawte, GeoTrust, etc.  Shop around, prices vary widely.  Once you have the cert, you install it on your web server, and then create the card entry page so that it uses HTTPS.  Remember that this ONLY secures the link between the user web browser and the server.  Once the data is received by the server it's in clear text again.

2) You need to secure the card data as soon as it's received by the server.  While there are many possibilities here, you really need to use a commercially accepted encryption scheme to protect yourself.  Using "lame" encryption which later leads to data disclosure will probably end you up in bankruptcy.  do it right or don't do it at all.  If you don't know about this stuff, GET HELP!  I've developed some of these systems and have used either RSA  public-key encryption or PGP to encrypt the data on the server for either storage awaiting retrieval or some transmission to your client's location.

3) Security at your client's location.  Once again at some point you will decrypt the data for processing and it's again vulnerable.  Procedures vary here and a lot depends on HOW you will be processing the charges.  If you have only a card terminal hand entering more than a very few transactions will be incredibly tedious and error prone.  There are software solutions from a number of vendors.  Be sure to contact your processing company and find out what THEY support or recommend.  Not all processors accept the same input.  But once the charges are processed you need to again secure the data and be sure you comply with the card company rules on storage of the data.

Assisted Solution

samb39 earned 150 total points
ID: 16307849
If you are only selling 2 or 3 items, by far the best procedure would be to just negotiate the transaction by email and get the customer to give the credit card number over the telephone, not over the Internet.

Author Comment

ID: 16310693
Thanks for all your help.

The credit card company we are dealing with will accept typed in cc orders.

My hosting company has a Shared SSL service.  Can I use this along with Pgp.com or Gnupg.org to retrieve and store the orders/data?  I know I would have to have some type of plugin for Outlook or Thunderbird on store's end to get the orders.

After the orders are received on the store's end, how do I purge the old data off the server?  

Thanks for you help.


Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Experts Exchange expands question security options for members.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question