Credit Card Payment Hadling.

[AbydosGater]

Hey guys.

I have been asked to help out on a project for a site that needs to handle credit card payments directly.. not via paypal.

 

I have done a few searches on google for pre-made systems and have found one or two.

 

But i was just wondering if any of you guys have used a PHP site to handle credit card payments/transactions.

 

If so could you tell me how you went about it?

 

Thanks for your time in reading.

Andy

[DarkWater]

Honestly?  Don't store credit card information on your server.  Pass it on to Paypal, and tell people that they need to make an account if they don't have one.  There is a simple reason for this: 

 

If (and when) your database gets hacked (because you have credit card info), there is no possible way that you can afford the law suits that will ensue.

[bluejay002]

hi... thanks for the info on this thread.

 

you see, am about to make one also, since someone asked me too! am a bit new to e-commerce and was planning to support both paypal and credit card.

 

btw, anyone who has tried this stuff, any suggested pre-made stuffs on the net that you have seen reliable?

 

i would really appreciate for a reply... thanks!

[TravisJRyan]

I work at a card processor and build middleware applications for lenders and banks that tie directly into our processor.  I can tell you that you will NOT want to store any information in your application.  If you do, be prepared to meet the standards for SAS70 and PCI. 

 

Most of the time if you are going to do some ecommerce, you will have to set up a deal with a processor.  That processor will give you an API that you will be able to implement, more then likely it will be a SOAP interface.  From that API over a secured connection you will be able to auth, debit, credit (refund) and settle. 

 

If you need a processor you may be able to use ours, but you would have to meet our strict standards of compliance.  If you store a credit card number, (recommend you dont) I would ONLY store it in a 1 way hash and not a 2 way encryption, or unencrypted for that matter. . lol.  CVV, CVV2, CVC must NEVER be stored in the session, database, or anything.  It must be passed from form to form if it is not your last step and also passed in a rijindal256 2 way encrypted form.

 

If you need any more help with the head aches, shoot me a PM or something, chances are I wont look at this thread again.

[TravisJRyan]

Also, check standards for storing information like expiration date, date of birth, SSN (if you are collecting it). . those are pretty strict as well

[jonsjava]

wow, now it's hitting ISO info time.  ISO is a measurement of standards to which any company that handles sensitive data must adhere to.  Trust us when we say that unless you have a dream team of lawyers on your side, you do not want the headache.  If you have a dream team, let us know, and we may be willing to help.  I for one will not help someone lose the shirt off their back.

[sKunKbad]

If (and when) your database gets hacked (because you have credit card info), there is no possible way that you can afford the law suits that will ensue.

 

I'm not trying to get smart or anything, but do you think that most people would know how their CC info got out into the wild? Unless the CC owner only made one transaction ever, it would be unlikely that they could pinpoint who's website got hacked.

[l0ve2hat3]

In my experiance authorize.net is very easy to impliment.  Here is some info to get you started:

 

<?php

// I had a lot of trouble getting PHP & Curl to work with Authorize.net
// I don't want others to go through the same problems, so I am submitting this example script
// This script will work with Authorize.net's AIM method of processing.
// This code has been heavily borrowed from several sources.
// It requires a server that supports PHP and cURL.
// If you have any comments, please contact erik@grossmontdesigns.com


// From a previous HTML Form, pass the following fields:
$FirstName = "john";
$LastName = "gerted";
$CardNum = "4111111111111111";
$Month = "02";
$Year = "2008";
$Address = "57 hubert st";
$City = "patchogue";
$State = "ny";
$Zip = "11772";
$Email = "test@test.com";
$cost = "1";

// Check to make sure customer entered all relevant information

if (!$FirstName || !$LastName || !$Address || !$City || !$State || !$Zip || !$CardNum || !
$Email) {
echo "You forgot some necessary information.  Please go back and enter the missing information." ;
exit;
} else {

$x_Login= urlencode("cnpdbev45866"); // Replace LOGIN with your login
$x_Password= urlencode("pass"); // Replace PASS with your password
$x_Delim_Data= urlencode("TRUE");
$x_Delim_Char= urlencode(",");
$x_Encap_Char= urlencode("");
$x_Type= urlencode("AUTH_CAPTURE");

$x_ADC_Relay_Response = urlencode("FALSE");

$x_Test_Request= urlencode("TRUE"); // Remove this line of code when you are ready to go live
#
# Customer Information
#
$x_Method= urlencode("CC");
$x_Amount= urlencode($cost);
$x_First_Name= urlencode($FirstName);
$x_Last_Name= urlencode($LastName);
$x_Card_Num= urlencode($CardNum);
$ExpDate = urlencode(($Month . $Year));
$x_Exp_Date= urlencode($ExpDate);

$x_Address= urlencode($Address);
$x_City= urlencode($City);
$x_State= urlencode($State);
$x_Zip= urlencode($Zip);

$x_Email= urlencode($Email);
$x_Email_Customer= urlencode("TRUE");
$x_Merchant_Email= urlencode("email@test.com"); //  Replace MERCHANT_EMAIL with the merchant email address
#
# Build fields string to post
#
$fields="x_Version=3.1&x_Login=$x_Login&x_Delim_Data=$x_Delim_Data&x_Delim_Char=$x_Delim_Char&x_Encap_Char=$x_Encap_Char";
$fields.="&x_Type=$x_Type&x_Test_Request=$x_Test_Request&x_Method=$x_Method&x_Amount=$x_Amount&x_First_Name=$x_First_Name";
$fields.="&x_Last_Name=$x_Last_Name&x_Card_Num=$x_Card_Num&x_Exp_Date=$x_Exp_Date&x_Address=$x_Address&x_City=$x_City&x_State=$x_State&x_Zip=$x_Zip&x_Email=$x_Email&x_Email_Customer=$x_Email_Customer&x_Merchant_Email=$x_Merchant_Email&x_ADC_Relay_Response=$x_ADC_Relay_Response";
if($x_Password!='')
{
$fields.="&x_Password=$x_Password";
}
#
# Start CURL session
#
$agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)";
$ref = "http://www.test.com/renewal/authorize.php"; // Replace this URL with the URL of this script

$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "https://secure.authorize.net/gateway/transact.dll");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_NOPROGRESS, 1);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_TIMEOUT, 120);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_REFERER, $ref);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$buffer = curl_exec($ch);
curl_close($ch);

// This section of the code is the change from Version 1.
// This allows this script to process all information provided by Authorize.net...
// and not just whether if the transaction was successful or not

// Provided in the true spirit of giving by Chuck Carpenter (Chuck@MLSphotos.com)
// Be sure to email him and tell him how much you appreciate his efforts for PHP coders everywhere

$return = preg_split("/[,]+/", "$buffer"); // Splits out the buffer return into an array so . . .
$details = $return[0]; // This can grab the Transaction ID at position 1 in the array
$errors = $return[3];
// Change the number to grab additional information.  Consult the AIM guidelines to see what information is provided in each position.

// For instance, to get the Transaction ID from the returned information (in position 7)..
// Simply add the following:
// $x_trans_id = $return[6];

// You may then use the switch statement (or other process) to process the information provided
// Example below is to see if the transaction was charged successfully

switch ($details)
{
    case "1": // Credit Card Successfully Charged
        header ("Location: http://www.test.com/success.php"); // Change this address with the URL of your 'Completed Transaction' page
        break;
        
    case "3": // error
         echo "there was an error<br>".$errors;

        break;

    default: // Credit Card Not Successfully Charged
        header ("Location: http://www.test.com/renewal/ccerror.php"); // Change this address with the URL of your 'Error' page
        break;
}

}
?>

 

Please see attached PDF for more details

 

 

[attachment deleted by admin]

[bluejay002]

thanks for the info...

 

am currently checking it... ill give my feedback later... thanks again!

[The Little Guy]

http://www.authorizenet.com/

 

Visa:

http://usa.visa.com/merchants/new_acceptance/accept_online.html?it=l2|/merchants/new_acceptance/acquirer_list.html|Accept%20Visa%20Online

[bluejay002]

@l0ve2hat3

 

i think i got a problem... i received some errors:

 

fsockopen() [function.fsockopen]: unable to connect to secure.authorize.net:80 (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. )

 

ive asked erik stieringer bout this and tried several attempts for no avail (he told me he made this script for several years now).

 

any idea on how to resolve this? anyone?

[l0ve2hat3]

well it shouldnt be trying to connect on port 80... did you mod the code? 

 

curl_setopt($ch, CURLOPT_URL, "https://secure.authorize.net/gateway/transact.dll");

 

https is 443... i really dont know why you are getting that..

 

please post your code

[bluejay002]

its actually the same code... i used https. i even used https for my header yet nothing happens... yeah it shouldnt be port 80, instead it should be port 443 and i dont know where did it get that 80 thingy.

[l0ve2hat3]

hrmmmm if you goto http://secure.authorize.net/gateway/transact.dll it times out but connects on https://secure.authorize.net/gateway/transact.dll

 

 

post your code!!!

[l0ve2hat3]

ahhh... your DNS service might be messup... try using the IP address instead..

 

try this:

 

 

curl_setopt($ch, CURLOPT_URL, "https://64.94.118.33/gateway/transact.dll");

 

[bluejay002]

same thing... mmm... am really gettin a headache bout this... doh!

[l0ve2hat3]

anyone else????

 

 

I'm pretty sure its a server/software issue...  Please tell me your specs. and no one else is going to help out if you do not post your code.

[bluejay002]

i see... i got the root cause.

 

it seems that openssl was not enabled by default. also, xampp has a more triccky configuration... there are separate files that i need to config for it to be enabled.

 

thanks a lot guys.

 

btw, ive tried authorize.net but... the test itself has an invalid merchant ID or password. so it seems i need to use a test account instead. do i need to put correct info there? it asks several questions and i cant seem to fill up things since am not familiar with any info bout US at all, say, phone numbers, zipcodes... blah3x.

 

i really want to start e-commerce but i cant seem to start on this. ;(

 

anyone who has already tried... i need some info how you did it guys. thanks a lot!