"Simon Wigzell" <si**********@shaw.ca> wrote in message
news:q08ub.416132$9l5.297316@pd7tw2no...
My client wants to have credit card information fields on his forms for
his website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will be sent to the server and
stored in the database as the .asp page calls itself on Submit.
How secure is this? I've never had to worry about it before but is form
information encrypted before being sent to the server? Are there any legal
obligations for handling peoples credit card information? The actual
credit card payments will be handled manually at the clients company. Thanks!
You will want to have a secure connection, which means using SSL (as others
have pointed out). Basically, instead of using HTTP to access your form,
you use HTTPS (you will need to have the SSL Certificate installed on the
server). Some ISPs will let you use their certificate for free, but the
only down side to this is that the client might get warning messages, and
the URL will probably be pointing to some other domain name, which can
affect consumer confidence.
That takes care of the secure connection, but it still leaves you vulnerable
in that you are storing the raw credit card data in your database. You
should encrypt the credit card number and store the encrypted version in
your database. This way, if someone is able to get into your database, the
credit card data is still secured (assuming they don't know how to get the
decryption key). I recommend checking out ASPEncrypt. They have some good
examples as well:
http://www.aspencrypt.com/ http://www.aspencrypt.com/task_creditcard.html
Hope this helps.
Regards,
Peter Foti