fusionpixel Posted February 25, 2009 Share Posted February 25, 2009 What is the best way to handle security in regards to CreditCard transactions? My form does 5 steps 1. Show form (validate JS) 2. Validate (PHP) 3. Confirm by client 4. Send to gateway 5. Receive response from gateway My concern is step 2-4 because some how I need to have access to sensitive information (creditcard, exp date) while the user confirms from page to page before sending to the gateway. Any ideas? of course hidden fields are out of the question. Quote Link to comment Share on other sites More sharing options...
chronister Posted February 25, 2009 Share Posted February 25, 2009 I am assuming that through this whole transaction, your doing it over an encrypted connection (https://yoursite.com/blah).... if the url starts with http and not https, then stop right now and get an SSL certificate and get the encrypted connection set first. there are a couple of things you can do to pass information securely. the most obvious one is to use sessions. If your in a shared hosting environment, then this may not be the best thing as a compromised host in the shared environment can mean your site is compromised too. The other way would be to use a database. You may even be able to use a temporary table in this instance so that the table exists for the duration of the transaction, but is not a permanent object that can be accessed. I am not too familiar with temp tables, so you might want to read up on them as far as security and such. If you use a db of any sort, then you are going to want to use a 2 way encryption model so that the data is stored encrypted and you can pull it back out and use it decrypted. I am not too familiar with 2 way encryption either, so check on that. Those are where I would start looking. There may be other suggestions, but this is where I would start. Nate Quote Link to comment Share on other sites More sharing options...
phpdragon Posted February 25, 2009 Share Posted February 25, 2009 Also check out this link, as sessions and ssl are the best way to handle it, just be sure to read the following first for some very useful tips http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2008-04/msg00087.html Quote Link to comment Share on other sites More sharing options...
fusionpixel Posted February 26, 2009 Author Share Posted February 26, 2009 @chronister I think we both are in the same boat here, I am familiar with all the terms you describe and I can do either cookies/sesion/database sessions but more than suggestions on what to do I was looking more on what is the best method. since I can defenatelly apply any of them I just need conformation from an expert on what is the perfect solution. Thanks again for your comments @phpdragon Thanks for the link! Anyone else who might have some tips are welcome Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.