We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


What SSL or Security to use. Please help with this process.

Medium Priority
Last Modified: 2010-04-11
I have a customer that wants to sell 2 or 3 items.  They have a credit card machine in their office and just want to receive orders via email or have a place to log in to get orders.

We want security when typing in credit card information. But we want to be able to process the credit card information at the office.  Can this be done?

Would I create an order page with their order, then create another page with their name address and so-on. Then the 3rd page would go to the secure server and they would type in credit card info, then get emailed to my client?   Or am I missing the boat here?

What service should I use?

Watch Question

Distinguished Expert 2019

Lets get this straight.  You would like to create the illusion for the end user that the information they provide can not be observed during their transaction (from the browser to the server).  Then the information in clear text will be emailed to your client who would process the transaction on their Credit Card machine.

What options are available to you/your client?
Database? online payment processor? etc.  
I guess you could do it like that, but as arnold already points out you should absolutely secure the email traffic, for example using PGP (http://www.pgp.com/) or the free alternative GnuPG (http://www.gnupg.org/). Using these you can encrypt and digitally sign the messages taking care of confidentiality, authenticity and nonrepudiation. Unfortunately these alone still won't guarantee message integrity.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
There are at least 3 different security issues here and all need to be dealt with in order to comply with Visa/MC and other CC company rules on the handling of card data.  But you should also have you friend check with his card processing company and be sure that he is authorized to accept "card not present" order and/or "internet orders".  Not all merchant accounts are enabled for this.  Violating the merchant account agreement can, among other things, cause the account to be terminated and open him up to signifncant fines.

1) You must secure the web connection.  The only accepted way to do this is via SSL.  You must obtain an SSL Server Certificate for your web server so that your customers can open an "https" connection to the page that accepts the credit card information.  You get an SSL certificate from one of several suppliers, VeriSign, Thawte, GeoTrust, etc.  Shop around, prices vary widely.  Once you have the cert, you install it on your web server, and then create the card entry page so that it uses HTTPS.  Remember that this ONLY secures the link between the user web browser and the server.  Once the data is received by the server it's in clear text again.

2) You need to secure the card data as soon as it's received by the server.  While there are many possibilities here, you really need to use a commercially accepted encryption scheme to protect yourself.  Using "lame" encryption which later leads to data disclosure will probably end you up in bankruptcy.  do it right or don't do it at all.  If you don't know about this stuff, GET HELP!  I've developed some of these systems and have used either RSA  public-key encryption or PGP to encrypt the data on the server for either storage awaiting retrieval or some transmission to your client's location.

3) Security at your client's location.  Once again at some point you will decrypt the data for processing and it's again vulnerable.  Procedures vary here and a lot depends on HOW you will be processing the charges.  If you have only a card terminal hand entering more than a very few transactions will be incredibly tedious and error prone.  There are software solutions from a number of vendors.  Be sure to contact your processing company and find out what THEY support or recommend.  Not all processors accept the same input.  But once the charges are processed you need to again secure the data and be sure you comply with the card company rules on storage of the data.
If you are only selling 2 or 3 items, by far the best procedure would be to just negotiate the transaction by email and get the customer to give the credit card number over the telephone, not over the Internet.


Thanks for all your help.

The credit card company we are dealing with will accept typed in cc orders.

My hosting company has a Shared SSL service.  Can I use this along with Pgp.com or Gnupg.org to retrieve and store the orders/data?  I know I would have to have some type of plugin for Outlook or Thunderbird on store's end to get the orders.

After the orders are received on the store's end, how do I purge the old data off the server?  

Thanks for you help.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.