Solved

A Script That Would Send Partial Form Input in separate emails or database & email.

Posted on 2010-09-06
12
500 Views
Last Modified: 2013-11-28
I am looking for a solution that allows me to have a web form that requests CC details, and is also PCI Compliant.

One thought I had would be if I could have the cc# either split, or broken up into separate fields and emailed separately. I understand that this would be PCI Compliant. I would also be fine with the cc# being split between database and email. I have read of this being done, but never seen any code.

I would even be fine with a client who put in the complete number, but when the submit button was hit the majority of the number was masked so long as that was totally safe. I have no problem asking for the number at a later date if I need to actually make the charge. 99% of the time the card is used only as a means to confirm the service being purchased. The client pays at a later date. So, as I said if I don't ever see the entire card number that solution would be perfect so long as at no point their entire number is transmitted in any insecure manner.

I don't have any PHP experience at all, so the more help the better. Ideally I could see example of code that I could write into another script. If someone wants to post the entire script with that code all the better. :)

Payment gateway's are not a possibility for me because they won't deposit into bank accounts in the country I live and do business in.

One thing that is a necessity is that the majority of the data input to the form be emailed. So, I'm basically hoping to protect the cc data in the simplest way possible, which I thought would be to break it up. I'll be trashing the cc #'s once I get them. I have no need to file them.

I do have a SSL on my server.

I am completely open to other suggestions if it's easier or what I'm looking for isn't possible.

My skills are rudimentary. I taught myself to write some html and also use Dreamweaver to subsidize for what I can't code myself. I apologize if this should be in one of the other forums.

Thanks.
0
Comment
Question by:wheresrickysanders
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 34

Expert Comment

by:Beverley Portlock
Comment Utility
"...One thing that is a necessity is that the majority of the data input to the form be emailed..."

If you are dealing with credit card details then you are crazy to use email. Emails are like postcards - anyone can read them. On the servers we run I could read the emails of absolutely anyone hosted on them because all emails are plain text. You would be leaving yourself open to claims or litigation if anything ever went wrong.

If payment gateways will not work, have you looked at something like PayPal?
0
 

Author Comment

by:wheresrickysanders
Comment Utility
Paypal won't work because they charge for any transaction. So even if I set up a reservation as a free product, it is my understanding that Paypal will still charge a fee per transaction.

I asked the question because I have read online about businesses that have setups that email the first 5 and last 4 numbers together, and the middle set of not included numbers are posted to a database. So, I'm looking for a similar workaround. From what I've read, anything that breaks up the cc number and sends them separately, be it to two different places (email & database) or even two emails to the same address is PCI Compliant so long as you don't store that data beyond the transaction. I could be mistaken, but I've read that that would be compliant in multiple places.

What about the same idea but posted to a database? Would it then be possible to receive emails when the database is updated? Or possibly even emails with selected inputs when the database is updated?

What was the method when it was still "okay" to collect cc data for manual processing? And what would be the most secure method for this today? That's basically the work flow I am stuck with because even if I was charging the cc's, I would have to be doing it manually because of the country I'm in. I know some other local businesses have people fill out an authorization form by hand, scan and email it as attachment. I'm hoping to give my clients a less cumbersome, yet still secure option.
0
 
LVL 74

Expert Comment

by:Jeffrey Coachman
Comment Utility
I'm with bportlock here.

No mater how many chunks you break this into, Email is still the *un*safest way to transmit sensitive data.

"My skills are rudimentary"
Then IMHO, it is best to let a third party handle this.
Other than Paypal there are others as well:

http://payments.intuit.com/
http://www.gotmerchant.com/
http://www.mivamerchant.com/services/payment/index.mv

In today's world, you really need to offer both.

;-)

JeffCoachman
0
 

Author Comment

by:wheresrickysanders
Comment Utility
For the sake of transparency, my business is located in Costa Rica. I'm in tourism, so my clients are predominately in N. America and Europe.

I have not found any 3rd party sites/apps that will deposit money into banks in Costa Rica. Paypal will accept CR as a user country, but only deposit into a bank in the U.S. Having that money deposited in another country creates unnecessary tax and transfer cost issues. On top of the fact that I would actually be dealing with very few transactions as 99% of my transactions are made in person when the customer is here in the country.

So, I don't need to charge. But it's not possible to operate without a customer giving a credit card for a reservation/confirmation. If it's all based on just their word, the cancellation/no show rate skyrockets to well over 50%.

Is there another option? I'm not interested in putting clients information at risk, but clients aren't interested in spending much more time than it takes to fill out a web form. So, I'm stuck in this grey area that requires this dance because I don't want to be shady with my clients information.
0
 
LVL 74

Expert Comment

by:Jeffrey Coachman
Comment Utility
IMHO, I would always err on the side of security.

Remember, if you do things the "easy" way:
     ("clients aren't interested in spending much more time than it takes to fill out a web form.)
...then something goes wrong...
None of these clients will thing twice about suing you...

So whatever technology does what you need and is secure is what I would go with.
Can you contact other businesses that do what you do, and ask them how they handle this?

JeffCoachman

0
 

Author Comment

by:wheresrickysanders
Comment Utility
Well, the truth is that most businesses that do what I do don't really care so much about security. I'm a very small business working in a place that is at times like the wild west. As I mentioned before, the standard operating procedure is to have someone fill out a web form that authorizes cc use manually, scan the authorization form, then email it back.

I'm not sure how safe that method is. I've avoided it for a number of reasons, but would consider using it if I was told it was the most secure manner to accomplish what I need.

I'm 100% here because I'm erring on the side of caution. In all honesty, any clients would have to move to a new country and sit for years waiting if they wanted to sue. But I don't want to let that get in the way of me doing the right thing.

Unfortunately, I have yet to find a solution that works for what I need.

Is it possible to fill out a form and have certain inputs be masked immediately, so they are never even transmitted? For instance the form takes a cc# input and takes it from 123456789 to 123XXXXXX automatically? And if so, can it do it before the original is ever transmitted in an intercept-able way? As I said in my first post, I have a SSL on my server. The email should only have the masked version. Everything I've read regarding PCI Compliance says that a certain amount of cc#'s being sent via email is 100% within compliance regulations. I would even set it up to reveal less #'s than PCI allows for compliance. I believe with only 4 numbers, an expiration date, name and no security code there is nothing to learn. I'm just not sure if this sort of action is possible though.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:wheresrickysanders
Comment Utility
I meant to also thank Jeff for continuing with this question.
0
 
LVL 34

Expert Comment

by:Beverley Portlock
Comment Utility
Why send them by email at all. If you have a LAMP / WAMP server then encrypt the details and store them in your database. You can write a program that interrogates the database and decrypts the card details when you type in the decryption key. Look at using PHP's mcrypt extension and a block cipher like Twofish or Blowfish.

You could have the system send you an email when a transaction occurs and you can log in to get the details. That way, even if you are on a shared server, the details would be stored more securely.

http://uk.php.net/mcrypt
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
Comment Utility
"Is it possible to fill out a form and have certain inputs be masked immediately, so they are never even transmitted?" - the short answer is, "No, the inputs MUST be transmitted to your server."  But that can be done with a form-to-action script that uses HTTPS.

The problem here is the email part of the concept.  There is no such thing as secure email.  But the business model may be flawed, too.  If you're selling something of value that has a cancellation cost, you might want to charge the client a nominal reservation fee, and refund the fee as part of the completed transaction.  That puts PayPal and other e-commerce service providers back into play.

If you look at the preponderance of e-commerce transactions you will see that they accept credit card numbers in clear text over SSL.  They send this credit card information to the server where it is encrypted and stored.

Most do not echo the entire credit card number - they just say something like "the card ending in 6125."  If you must send an email about a credit card, this is the right way to do it.

Here is a simple example of how to encrypt and decrypt.  Install it on your server and run it to see the output.  A credit card number like "3720-2010-2699-5053" will be turned into a string like "1B9kmxDJSEela/Z8CqTgWXQa7S38wtMK4yA1P8qRock=" and without the encryption key that information is useless.

Going forward, your most important question may become, "Whom can I trust with the encryption keys?"

Good luck with the project.  Go 'Skins! ~Ray
<?php // RAY_encrypt_decrypt.php
error_reporting(E_ALL);

// MAN PAGE: http://us.php.net/manual/en/ref.mcrypt.php

class Encryption
{
    private $eot;
    private $key;
    private $ivs;
    private $iv;

    public function __construct()
    {
        // END OF TEXT DELIMITER
        $this->eot = '___EOT';
        
        // KEY - MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = 'quay';
        
        // INITIALIZATION VECTOR - MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->ivs = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB);
        $this->iv  = mcrypt_create_iv($this->ivs);
    }

    public function Encrypt($text)
    {
        // APPEND END OF TEXT DELIMITER
        $text .= $this->eot; 
        
        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $this->key, $text, MCRYPT_MODE_ECB, $this->iv);
        
        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        $data = base64_encode($data);
        return $data;
    }

    public function Decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);
        
        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $this->key, $text, MCRYPT_MODE_ECB, $this->iv);
        
        // REMOVE END OF TEXT DELIMITER
        $data = explode($this->eot, $data); 
        return $data[0];
    }
}

// INSTANTIATE THE CLASS
$crypt = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = '';
$decoded = '';

// IF ANYTHING WAS POSTED
if (!empty($_POST["clearstring"]))
{
    $encoded = $crypt->Encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS "; var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $crypt->Decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS "; var_dump($decoded);
}

?>
<form method="post">
<input name="clearstring" value="<?php echo $decoded; ?>" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="<?php echo $encoded; ?>" />
<input type="submit" value="DECRYPT" />
</form>

Open in new window

0
 
LVL 74

Assisted Solution

by:Jeffrey Coachman
Jeffrey Coachman earned 250 total points
Comment Utility
<I meant to also thank Jeff for continuing with this question.>
Thanks.
;-)

As I am no Expert on E-commerce or Encryption, I will yield to an Expert with more targeted knowledge...

JeffCoachman
0
 

Author Comment

by:wheresrickysanders
Comment Utility
I'm going to give the encryption a try. I've been very busy the past two days with other projects. It's possibly a bit over my head though.

I'm wondering how those with more knowledge then me would handle a situation such as mine. Even if I didn't use email at all and sent the information straight to database I would still not be PCI Compliant as it is against compliance to have all CC #'s stored in one place. That's why I was hoping for a way to send some of the numbers to database and the rest to email. I've considered making it two forms with the cc#'s split between forms.

I know the business model seems a bit odd to most, but I'm operating in a 3rd world country (albeit developing one with dsl) and paypal is not an option at all because it sends my money to the U.S. to my personal bank account when in reality I'm operating a foreign corporation. Any changes to my business model that throws any costs towards the customer is a problem as I operate a business aimed at budget travelers. Right now I'm blessed to have a leg up on my competition due to word of mouth, but if I started to use the same business practices my advantage would disappear.

So, outside of separate forms that split up the cc#, is there any other ideas to keep me compliant? I'm not married to having the form sent to email, although I would love for certain aspects of the form to be sent. If worst comes to worst at least an email letting me know the database has been updated, but I was hoping to avoid that.

As far as trust, myself and my wife are the only ones who deal with this aspect of the business. So no one would need to be trusted with an encryption key or control panel access.

I appreciate all the responses so far. I know my problem seems like a strange business model, but that's because it is. Mostly because it has to be, and partially because it's been working so well for years. If payment gateways could deposit money in my corporate bank account here, most of these problems would be solved.
0
 

Author Comment

by:wheresrickysanders
Comment Utility
According to advice given and my inability to use certain third party softwares I have decided to not accept CC details on my form. Thank you to all for the help. It was greatly appreciated.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Read about how to choose the best possible content marketing agency to suit your needs. Content marketing has become an integral part of running a successful tech business, so it is wise to be informed.
This article discusses four methods for overlaying images in a container on a web page
With Microsoft Access, learn how to specify relationships between tables and set various options on the relationship. Add the tables: Create the relationship: Decide if you’re going to set referential integrity: Decide if you want cascade upda…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now