Sending credit card information to server security concerns

[Simon Wigzell]

My client wants to have credit card information fields on his forms for his
website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this? I've never had to worry about it before but is form
information encrypted before being sent to the server? Are there any legal
obligations for handling peoples credit card information? The actual credit
card payments will be handled manually at the clients company. Thanks!

 

[Ray at]

Are you familiar with SSL? Do you have an SSL certificate?

Ray at work

 

[Chopper]

My client wants to have credit card information fields on his forms for his
website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this? I've never had to worry about it before but is form
information encrypted before being sent to the server? Are there any legal
obligations for handling peoples credit card information? The actual credit
card payments will be handled manually at the clients company. Thanks!

Information is not encrypted before being sent to the server unless you set
up SSL. Check out www.verisign.com and www.thawte.com for more information
on certificates and how to get one.
SSL is considered a secure method of encrypting traffic between client
browser and server providing it is implemented properly (more info at the
above sites).
Legal implications of storing this information depend on your country. In
the UK we have the Data Protection Act and I assume the US have an
equivalent - no doubt bigger and better )
From what you have said it seems you will need to secure not only the data
exchanges between customer and website but also client and website. It might
be worth looking at a merchant service which takes the customer temporarily
off your site to enter sensitive information, eg.
http://www.epdq.co.uk/epdq_frameset.htm (again UK) although it will
obviously cost you.

HTH

chopper

 

[Simon Wigzell]

Are you familiar with SSL? Do you have an SSL certificate?

Ray at work

No, I'm not, and no, I haven't!

 

[Jeff Cochran]

My client wants to have credit card information fields on his forms for his
website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this?

Not secure enough that I'd shop there.

I've never had to worry about it before but is form
information encrypted before being sent to the server?

Not unless you do it. Use SSL at least.

Are there any legal
obligations for handling peoples credit card information?

You could easily be liable for stolen credit information, or worse,
chargebacks from your credit card company will kill you. Just one
loss of info and you customer base could vanish.

The actual credit
card payments will be handled manually at the clients company. Thanks!

Find and use a credit card processing service. Let them handle the
risk.

Jeff

 

[Ray at]

No, I'm not, and no, I haven't!

I suggest you learn about SSL prior to trying to handle credit card
processing on your own. You really should know about these things prior to
having people submit this kind of information over the Internet to your
site. I agree with Jeff, that you should outsource the CC processing to a
processor. And don't worry about the cost of that. You'll see that it's
not that much when you learn about the price of an SSL certificate. :]

Ray at work