asked on

how to securely pass credit card information between two pages in PHP?

Dear Experts,
I use PHP and https on my web site

I need your opinion on how to securely pass credit card information between two pages in PHP?

thank you in advance.

SOLUTION

Chris Stanyon

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

David Favor

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

gr8gonzo

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

madunix

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Dear Experts,
thank you for your wonderful comments.
This payment API expects the card information from me. ( I need to post it ) they do not provide a CC form.

Let me make it clear. I have one page which has credit card and information form.
The other page is the page that I collect the data and post it to the Payment API.

I have to post the credit card information at least one page, right? ( even itself ) Because PHP works on the server side.

On the first page, I will ask my user to fill in the form,
as soon as the user enters the card number ( may be the first 6 digits, I will get the result if the banks give some installment options with using AJAX,

I will collect all information on the first page, ( installment number, card infromation, user info etc. and I will post the neccessary information to my second page to send information to payment API. I am using PHP cURL to communicate with Payment API.

I will never ever hold any credit card information on any part of my system. ( not on session variables, not on database etc )
I use SSL connection, and shared hosting.

Thank you

SOLUTION

David Favor

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Dear David Favor,
my .htaccess file is like this. It forces to https. thank you

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php

SOLUTION

Chris Stanyon

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

gr8gonzo

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Dear gr8gonzo, thank you for your wonderfull comment.

Posting a form is easy, however I need to send a token on the header.
This token autorize my request.

I share my code with you, this is how I post the header and the CC information. ( it works perfectly fine )

I don't know how to send the form with a header information?

Is there a way to directly post it to payment API including the header? The URL is the same.

I use below cURL code to send it. ( it works perfectly fine )

$url = 'this is API url';

$ch = curl_init($url);

$data = array(
    'ClientReferenceCode' => '413252',
	'Is3DPayment' => true,
	'Amount' => 4,
	'CreditCard' => ['CcName' => '.....', 'CcNumber' => '....', 'Cvc' => '...' , 'ExpM' => '..', 'ExpY' => '...'],
	'Payment3dUrl' => ['successUrl' => 'https://...', 'failUrl' => 'https:...'], 
	);
 $requestData = json_encode(($data));

curl_setopt($ch, CURLOPT_POSTFIELDS, $requestData );

$headers = ['Content-Type: application/json','Authorization: Autho here is my token'];

curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$result = curl_exec($ch);

curl_close($ch);

Open in new window

thank you all

ASKER

Dear gr8gonzo and,
Chris Stanyon, David Favor, madunix,

would it be better the post the data like below to the payment API than using cURL which I mentioned above ( which I used to think to use, now you already changed my mind. Thank you by the way again. )

So that, I can directly to post the data, and I can get the CC info from the form on the page using Javascript.
The other information I need to use is the token from the API (my page is PHP so it is already done.)

So my question is this: Should I use the below structure with JQuery? would it be safe. Thanks to JQuery, I can directly post it to payment API without posting another page. Thank you

Would it be correct to put the header like this?

<!DOCTYPE html>
            
<html>
<head>
    <meta name="viewport" content="width=device-width" />
	<script type="text/javascript" 
            src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js">
    </script>
	<script type="text/javascript">
        $(document).ready(function () {
			
		 $('#ajaxBtn').click(function(){
			 
			 $.ajaxSetup({
    headers: ['Content-Type: application/json','Authorization: Autho xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'],
});
			
			$.post('test-kayit.php',   // url
			    {"ProductId":"1","Vir":"54"} ,
				
				
   			   
			    // data to be submit
			   
			   
			   
			   function(data, status, jqXHR) {// success callback
						$('p').append('status: ' + status + ', data: ' + data);
				});
			});
    });
    </script>
</head>
<body>
	<h1> jQuery post() method demo 
	</h1>
	<input type="button" id="ajaxBtn" value="Send POST request" />
	<p>
	</p>
</body>
</html>

Open in new window

SOLUTION