What SSL or Security to use. Please help with this process.

I have a customer that wants to sell 2 or 3 items.  They have a credit card machine in their office and just want to receive orders via email or have a place to log in to get orders.

We want security when typing in credit card information. But we want to be able to process the credit card information at the office.  Can this be done?

Would I create an order page with their order, then create another page with their name address and so-on. Then the 3rd page would go to the secure server and they would type in credit card info, then get emailed to my client?   Or am I missing the boat here?

What service should I use?
Thanks.
Paul




paulbarstoolAsked:
Who is Participating?
 
jhanceCommented:
There are at least 3 different security issues here and all need to be dealt with in order to comply with Visa/MC and other CC company rules on the handling of card data.  But you should also have you friend check with his card processing company and be sure that he is authorized to accept "card not present" order and/or "internet orders".  Not all merchant accounts are enabled for this.  Violating the merchant account agreement can, among other things, cause the account to be terminated and open him up to signifncant fines.

1) You must secure the web connection.  The only accepted way to do this is via SSL.  You must obtain an SSL Server Certificate for your web server so that your customers can open an "https" connection to the page that accepts the credit card information.  You get an SSL certificate from one of several suppliers, VeriSign, Thawte, GeoTrust, etc.  Shop around, prices vary widely.  Once you have the cert, you install it on your web server, and then create the card entry page so that it uses HTTPS.  Remember that this ONLY secures the link between the user web browser and the server.  Once the data is received by the server it's in clear text again.

2) You need to secure the card data as soon as it's received by the server.  While there are many possibilities here, you really need to use a commercially accepted encryption scheme to protect yourself.  Using "lame" encryption which later leads to data disclosure will probably end you up in bankruptcy.  do it right or don't do it at all.  If you don't know about this stuff, GET HELP!  I've developed some of these systems and have used either RSA  public-key encryption or PGP to encrypt the data on the server for either storage awaiting retrieval or some transmission to your client's location.

3) Security at your client's location.  Once again at some point you will decrypt the data for processing and it's again vulnerable.  Procedures vary here and a lot depends on HOW you will be processing the charges.  If you have only a card terminal hand entering more than a very few transactions will be incredibly tedious and error prone.  There are software solutions from a number of vendors.  Be sure to contact your processing company and find out what THEY support or recommend.  Not all processors accept the same input.  But once the charges are processed you need to again secure the data and be sure you comply with the card company rules on storage of the data.
0
 
arnoldCommented:
Lets get this straight.  You would like to create the illusion for the end user that the information they provide can not be observed during their transaction (from the browser to the server).  Then the information in clear text will be emailed to your client who would process the transaction on their Credit Card machine.

What options are available to you/your client?
Database? online payment processor? etc.  
0
 
CoccoBillCommented:
I guess you could do it like that, but as arnold already points out you should absolutely secure the email traffic, for example using PGP (http://www.pgp.com/) or the free alternative GnuPG (http://www.gnupg.org/). Using these you can encrypt and digitally sign the messages taking care of confidentiality, authenticity and nonrepudiation. Unfortunately these alone still won't guarantee message integrity.
0
 
samb39Commented:
If you are only selling 2 or 3 items, by far the best procedure would be to just negotiate the transaction by email and get the customer to give the credit card number over the telephone, not over the Internet.
0
 
paulbarstoolAuthor Commented:
Thanks for all your help.

The credit card company we are dealing with will accept typed in cc orders.

My hosting company has a Shared SSL service.  Can I use this along with Pgp.com or Gnupg.org to retrieve and store the orders/data?  I know I would have to have some type of plugin for Outlook or Thunderbird on store's end to get the orders.

After the orders are received on the store's end, how do I purge the old data off the server?  

Thanks for you help.
Paul





0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.