[SOLVED] CC Handling

[kmark]

I have a small client who wishses to recieve credit card info online.  He does not expect a lot of orders but would like the capability.  So rather than have him paying authorize.net or someone like that percentages on transactions and monthly fees, i thought of a system that I thought would work and wondered if you saw any holes init.

 

They user has filled their cart and everything they reach the payment info page that is secured by SSL. 

They enter their credit card info that is needed and hit submit. 

The payment process page which is also secured by SSL then takes the CC# and info and encrypts it, the encypted info is then emailed to the store owner. 

He before hand is given a orphaned link to a SSL secured decrypt page that he can login to and enter the encrypted information

Then the submission will be processed on an SSL secured page and he will recieve the unencrypted information on the page.

He then enters that info into his payment terminal in his store. 

He then deletes the email with the encrypted CC info.

 

Is there a major security risk in this process?

[jonsjava]

before you go any further, look at this

[kmark]

K, I read your post and realize that nothing is ever 100% safe.  The holes I see in this are the security of the machine receiving the emails, and the link to the decrypt page.  But aside from that, i guess I'm referring to on the online side of things is this a horrible process, or is this just not ideal?

[jonsjava]

ANY system is breakable, given enough motivation, and time.  If you're willing to take on the liability of all that sensitive data, and the possible lawsuits that could result from a compromise, then what you have is ok (not perfect, but what is?).  I just want you to realize that you could be in for a world of hurt if someone got a hold of that data.

[kmark]

Thanks Jon,  I realize the liability in this, I just wanted to make sure that the process itself did not have a glaring holes besides the obvious.