What SSL or Security to use. Please help with this process.

Posted on 2006-03-26
Last Modified: 2010-04-11
I have a customer that wants to sell 2 or 3 items.  They have a credit card machine in their office and just want to receive orders via email or have a place to log in to get orders.

We want security when typing in credit card information. But we want to be able to process the credit card information at the office.  Can this be done?

Would I create an order page with their order, then create another page with their name address and so-on. Then the 3rd page would go to the secure server and they would type in credit card info, then get emailed to my client?   Or am I missing the boat here?

What service should I use?

Question by:paulbarstool
    LVL 76

    Expert Comment

    Lets get this straight.  You would like to create the illusion for the end user that the information they provide can not be observed during their transaction (from the browser to the server).  Then the information in clear text will be emailed to your client who would process the transaction on their Credit Card machine.

    What options are available to you/your client?
    Database? online payment processor? etc.  
    LVL 19

    Assisted Solution

    I guess you could do it like that, but as arnold already points out you should absolutely secure the email traffic, for example using PGP ( or the free alternative GnuPG ( Using these you can encrypt and digitally sign the messages taking care of confidentiality, authenticity and nonrepudiation. Unfortunately these alone still won't guarantee message integrity.
    LVL 32

    Accepted Solution

    There are at least 3 different security issues here and all need to be dealt with in order to comply with Visa/MC and other CC company rules on the handling of card data.  But you should also have you friend check with his card processing company and be sure that he is authorized to accept "card not present" order and/or "internet orders".  Not all merchant accounts are enabled for this.  Violating the merchant account agreement can, among other things, cause the account to be terminated and open him up to signifncant fines.

    1) You must secure the web connection.  The only accepted way to do this is via SSL.  You must obtain an SSL Server Certificate for your web server so that your customers can open an "https" connection to the page that accepts the credit card information.  You get an SSL certificate from one of several suppliers, VeriSign, Thawte, GeoTrust, etc.  Shop around, prices vary widely.  Once you have the cert, you install it on your web server, and then create the card entry page so that it uses HTTPS.  Remember that this ONLY secures the link between the user web browser and the server.  Once the data is received by the server it's in clear text again.

    2) You need to secure the card data as soon as it's received by the server.  While there are many possibilities here, you really need to use a commercially accepted encryption scheme to protect yourself.  Using "lame" encryption which later leads to data disclosure will probably end you up in bankruptcy.  do it right or don't do it at all.  If you don't know about this stuff, GET HELP!  I've developed some of these systems and have used either RSA  public-key encryption or PGP to encrypt the data on the server for either storage awaiting retrieval or some transmission to your client's location.

    3) Security at your client's location.  Once again at some point you will decrypt the data for processing and it's again vulnerable.  Procedures vary here and a lot depends on HOW you will be processing the charges.  If you have only a card terminal hand entering more than a very few transactions will be incredibly tedious and error prone.  There are software solutions from a number of vendors.  Be sure to contact your processing company and find out what THEY support or recommend.  Not all processors accept the same input.  But once the charges are processed you need to again secure the data and be sure you comply with the card company rules on storage of the data.
    LVL 4

    Assisted Solution

    If you are only selling 2 or 3 items, by far the best procedure would be to just negotiate the transaction by email and get the customer to give the credit card number over the telephone, not over the Internet.

    Author Comment

    Thanks for all your help.

    The credit card company we are dealing with will accept typed in cc orders.

    My hosting company has a Shared SSL service.  Can I use this along with or to retrieve and store the orders/data?  I know I would have to have some type of plugin for Outlook or Thunderbird on store's end to get the orders.

    After the orders are received on the store's end, how do I purge the old data off the server?  

    Thanks for you help.


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now