Securely sending Credit Card details
Hey all,
I'm struggling to come up with a solution for a friend, would love to know the communities thoughts on it.
He runs a small hostel which takes enquiry based bookings online. Basically he has a form on his website which sends Name, Phone and Email address to a their enquiries email account. The receptionist then pencils in a booking or may call them back if there's no availability.
He said to me today that he would also like to take their credit card details online at this point. This is so that any booking which isn't canceled in advanced would be subject to a minimal fine.
Now he definitely is not PCI Compliant nor does he have a secure certificate at this stage.
He does not want an online booking system at this point.
...so my question is, what possible solutions are available to him?
serpico
decibel.places posted this at 04:28 — 21st November 2008.
He has: 1,494 posts
Joined: Jun 2008
Without SSL and standard protections, this sounds very risky indeed.
If your friend is storing the numbers in any form, database, email, etc I would strongly urge using encryption. Storing this info is so risky, many ecommerce apps pointedly do not.
You might find some interesting open source code for this at SourceForge
serpico posted this at 06:11 — 21st November 2008.
They have: 121 posts
Joined: Aug 2008
If I get a secure certificate and put the contact form in the https directory on the server, will that be enough to encrypt the data?
serpico posted this at 07:56 — 21st November 2008.
They have: 121 posts
Joined: Aug 2008
What's your thoughts on this encrypt/decrypt function? Would this coupled with SSL be secure enough?
pr0gr4mm3r posted this at 14:50 — 21st November 2008.
He has: 1,502 posts
Joined: Sep 2006
This thread has some good insight. I would recommend not storing CC data under any circumstances. If they want to process their card information online, have your website process the card on the fly and then discard the data.
Greg K posted this at 15:00 — 21st November 2008.
He has: 2,145 posts
Joined: Nov 2003
I used to work at the front desk of Hotel, so I understand the need for the card when reserving.
I will have to look up what it is called, but if it will be e-mailed, there is program that he can set up on his computer that will receive the e-mails, it will generate a private key (for his computer to use to decrypt) and a public key (for you to set up on the server). Once this is set up and the script encrypts the data, only his computer will be able to decrypt it. On his computer, if he is using outlook (ouch anyhow), a button gets installed to it that when he received a message, he simply presses the button to decrypt it.
I personally would rather this method than have it just encrypted and stored on the server for him to log into same server and decrypt. IMO best to have encryption and decryption on separate machines. Even if you just save it encrypted, he goes there gets presented with a text box where he copy and pastes it to his program to decrypt. This way, even if the server gets hacked somehow, there is no script to find that will return the CC info.
This may seem as overkill, but I have seen the results of someone who got tired of the company he worked for... Nuf said.
Other suggestions on top of the obvious get a SSL for the page, store the IP addrerss filling out the page. For this type of transaction, let the customer know that due to the type of transaction, you require a reply to a confirmation e-mail to reserve. Store the ENCRYPTED data in the database, and e-mail it when the confirmation link is called, but delete it after say, 48 hours.
(For those that don't know the industry, the idea is, you reserve the room with a credit card, the room is held all night so you can arrive as late as you want, however, if you don't show up and don't cancel in enough time, you authorize the hotel to charge you for that night anyhow. So the cardholder was never there, yet they got charged, so this is a higher risk for chargbacks, so IMO best to have as much confirmation to back up a charge.)
Also, make sure you and the hotel management are up on the rules governing the storage of information such as the CVV code (on the back of the cards, front of AMEX). According to Visa and MasterCard's terms (which get agreed to by the banks, trickled down to clearing houses, trickled down to card processing companies, which trickles down to the end user who accepts credit cards) You are not allowed to retain CVV number other than for the processing of the current payment.
This day and age, credit card info is nothing to take lightly. With people using their cards for monthly automatic payments, it becomes a big hassle to request a new card because your old one was compromised, not just the inconvenience of waiting a few days for a new card.
-Greg
serpico posted this at 22:59 — 21st November 2008.
They have: 121 posts
Joined: Aug 2008
Thanks gregg thats great information. Priceless! If you could send over the name of the progrm if you discover it, that would be great! Thanks again.
serpico
serpico posted this at 06:59 — 24th November 2008.
They have: 121 posts
Joined: Aug 2008
phpcreditcard.com have software which sounds eactly like what you are talking about.
Does anyone have any experience of using phpcreditcard.com? Any feedback on this would be greatly appreciated.
serpico
decibel.places posted this at 14:41 — 24th November 2008.
He has: 1,494 posts
Joined: Jun 2008
phpcreditcard.com looks like a good service.
I'm not convinced it is necessary to use a Windows app for this, also that the necessary encryption could not be developed as a custom solution.
For $30 the price is reasonable.
I still do not like the idea of storing the credit card info.
As phpcreditcard.com notes, a secure server / SSL is necessary for PCI compliance.
I know, for example, that Ubercart stores the encryption key in a directory above the html root on the server.
pr0gr4mm3r posted this at 16:05 — 24th November 2008.
He has: 1,502 posts
Joined: Sep 2006
Thanks for posting this app. This looks like something I could use, or at least use this concept to code my own solution.
The idea is to store the encrypt & decrypt keys on separate, non-linked machines. As Greg said, it's best to separate the two. A Windows application is the best way to do this since most people don't have access to two web servers, and it's best to do the decrypting locally anyway.
I don't either, but an increasing number of my clients are requesting it.
That just protects you from an attack through Apache, which is just one of the many ways you could get compromised. There is still the top-level ftp account, control panel access, root account on the server, etc.
mikese posted this at 02:33 — 12th April 2009.
They have: 2 posts
Joined: Mar 2009
The card information we store gets taken offline right after the order the invoice is printed and card information is removed in the server database except the first four and last four digits of the card. Our offline server does store card information though which helps prevent fraud over time we've built up a long list of cards IP's and other information from fraudulent orders. With all the credit card comparison sites out now people are still getting cards and there is no way you can do business online without accepting them.
mrgilb posted this at 15:13 — 30th September 2009.
They have: 25 posts
Joined: Sep 2009
Could use a payment processor like 2checkout or paypal or google checkout so your not depending on storing the card numbers etc.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.