prowebinteractiveinc
asked on
need website security advice
The website Im working on excepts credit cards. An account can have many users.
I want to ge the option to the buyer to save his credit card info, so it makes the next checkout quicker... When I say the credit card info is saved, no information is saved on my servers for security, but when the user chooses to save their card info I send an XML string to the payment processor asking for a token to be able to rebill the same card. having said that, I want to give the option of the credit card holder to share the ability to place an order using his credit card saved on file to the users on his account providing he sets the right permissions... Any advice on this feature would be greatly appreciated. im also guessing if I would go forward I would create another table to place the users that have permission to use the credit card on file...
I want to ge the option to the buyer to save his credit card info, so it makes the next checkout quicker... When I say the credit card info is saved, no information is saved on my servers for security, but when the user chooses to save their card info I send an XML string to the payment processor asking for a token to be able to rebill the same card. having said that, I want to give the option of the credit card holder to share the ability to place an order using his credit card saved on file to the users on his account providing he sets the right permissions... Any advice on this feature would be greatly appreciated. im also guessing if I would go forward I would create another table to place the users that have permission to use the credit card on file...
Dushan Silva
It's never gonna good idea to save credit card details on your system. Give Credit card company to manage those and best not to touch or save those details locally. Also there could legal issue.
RUN, don't walk, to your bank and set up a meeting with them, your business lawyer and your payment processor that is giving you the XML token. On the agenda will be PCI Compliance or its equivalent in your countries. You need expert legal and technical advice on this topic, since mishandling such information can get you sued or land you in jail.
My guess is that once one of your clients gives you permission to charge his credit card for the bills of another client, you will have a fiduciary obligation to cross-notify, and when that permission is withdrawn or expires, you will need to again cross-notify. It's complicated and it has a lot of implications that go far beyond the advice you can get here at EE. Get professional advice that is directly in consonance with your exact business situation!
Best regards, ~Ray
My guess is that once one of your clients gives you permission to charge his credit card for the bills of another client, you will have a fiduciary obligation to cross-notify, and when that permission is withdrawn or expires, you will need to again cross-notify. It's complicated and it has a lot of implications that go far beyond the advice you can get here at EE. Get professional advice that is directly in consonance with your exact business situation!
Best regards, ~Ray
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.