By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,835 Members | 1,951 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,835 IT Pros & Developers. It's quick & easy.

Sending credit card information to server security concerns

P: n/a
My client wants to have credit card information fields on his forms for his
website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this? I've never had to worry about it before but is form
information encrypted before being sent to the server? Are there any legal
obligations for handling peoples credit card information? The actual credit
card payments will be handled manually at the clients company. Thanks!
Jul 19 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Are you familiar with SSL? Do you have an SSL certificate?

Ray at work

"Simon Wigzell" <si**********@shaw.ca> wrote in message
news:q08ub.416132$9l5.297316@pd7tw2no...
My client wants to have credit card information fields on his forms for his website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this? I've never had to worry about it before but is form
information encrypted before being sent to the server? Are there any legal
obligations for handling peoples credit card information? The actual credit card payments will be handled manually at the clients company. Thanks!

Jul 19 '05 #2

P: n/a
"Simon Wigzell" <si**********@shaw.ca> wrote in message
news:q08ub.416132$9l5.297316@pd7tw2no...
My client wants to have credit card information fields on his forms for his website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this? I've never had to worry about it before but is form
information encrypted before being sent to the server? Are there any legal
obligations for handling peoples credit card information? The actual credit card payments will be handled manually at the clients company. Thanks!


Information is not encrypted before being sent to the server unless you set
up SSL. Check out www.verisign.com and www.thawte.com for more information
on certificates and how to get one.
SSL is considered a secure method of encrypting traffic between client
browser and server providing it is implemented properly (more info at the
above sites).
Legal implications of storing this information depend on your country. In
the UK we have the Data Protection Act and I assume the US have an
equivalent - no doubt bigger and better :o)
From what you have said it seems you will need to secure not only the data
exchanges between customer and website but also client and website. It might
be worth looking at a merchant service which takes the customer temporarily
off your site to enter sensitive information, eg.
http://www.epdq.co.uk/epdq_frameset.htm (again UK) although it will
obviously cost you.

HTH

chopper
Jul 19 '05 #3

P: n/a

"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
Are you familiar with SSL? Do you have an SSL certificate?

Ray at work

"Simon Wigzell" <si**********@shaw.ca> wrote in message
news:q08ub.416132$9l5.297316@pd7tw2no...
My client wants to have credit card information fields on his forms for

his
website visitors to be able to buy his wervices by credit card. The credit card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this? I've never had to worry about it before but is form
information encrypted before being sent to the server? Are there any legal obligations for handling peoples credit card information? The actual

credit
card payments will be handled manually at the clients company. Thanks!


No, I'm not, and no, I haven't!
Jul 19 '05 #4

P: n/a
On Mon, 17 Nov 2003 17:59:50 GMT, "Simon Wigzell"
<si**********@shaw.ca> wrote:
My client wants to have credit card information fields on his forms for his
website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this?
Not secure enough that I'd shop there.
I've never had to worry about it before but is form
information encrypted before being sent to the server?
Not unless you do it. Use SSL at least.
Are there any legal
obligations for handling peoples credit card information?
You could easily be liable for stolen credit information, or worse,
chargebacks from your credit card company will kill you. Just one
loss of info and you customer base could vanish.
The actual credit
card payments will be handled manually at the clients company. Thanks!


Find and use a credit card processing service. Let them handle the
risk.

Jeff
Jul 19 '05 #5

P: n/a

"Simon Wigzell" <si**********@shaw.ca> wrote in message
news:rs8ub.414950$pl3.100103@pd7tw3no...

"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
Are you familiar with SSL? Do you have an SSL certificate?

No, I'm not, and no, I haven't!


I suggest you learn about SSL prior to trying to handle credit card
processing on your own. You really should know about these things prior to
having people submit this kind of information over the Internet to your
site. I agree with Jeff, that you should outsource the CC processing to a
processor. And don't worry about the cost of that. You'll see that it's
not that much when you learn about the price of an SSL certificate. :]

Ray at work
Jul 19 '05 #6

P: n/a
"Simon Wigzell" <si**********@shaw.ca> wrote in message
news:q08ub.416132$9l5.297316@pd7tw2no...
My client wants to have credit card information fields on his forms for his website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.

How secure is this? I've never had to worry about it before but is form
information encrypted before being sent to the server? Are there any legal
obligations for handling peoples credit card information? The actual credit card payments will be handled manually at the clients company. Thanks!


You will want to have a secure connection, which means using SSL (as others
have pointed out). Basically, instead of using HTTP to access your form,
you use HTTPS (you will need to have the SSL Certificate installed on the
server). Some ISPs will let you use their certificate for free, but the
only down side to this is that the client might get warning messages, and
the URL will probably be pointing to some other domain name, which can
affect consumer confidence.

That takes care of the secure connection, but it still leaves you vulnerable
in that you are storing the raw credit card data in your database. You
should encrypt the credit card number and store the encrypted version in
your database. This way, if someone is able to get into your database, the
credit card data is still secured (assuming they don't know how to get the
decryption key). I recommend checking out ASPEncrypt. They have some good
examples as well:

http://www.aspencrypt.com/
http://www.aspencrypt.com/task_creditcard.html

Hope this helps.
Regards,
Peter Foti
Jul 19 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.