gorgon2k Posted October 4, 2012 Share Posted October 4, 2012 HI guys have a bit of a logic question. I have a client that does event registration on sites A. B. and C. and they would like to start taking payments for the registrations. Now it would be a bit outlandish to create a payment platform on each site so I'm thinking of handling all the payments on an external source say, site D. now, what i'd need to do is create some sort of API that will receive payment data and handle it accordingly (I.E. process, reject, return messages etc.). My biggest concern is A. the security of this (PCI Compliancy) and B. really differentiating between clients (site A. B. and C.) and the possibility to vastly expand in the future. My understanding is that there needs to be some sort of handshake(TLS handshake?) from one server to another. I think most importantly it's getting the information from the servers of site A. B. and C. to the server of site D. securely. On site D. I would use a payment library and framework to manage/handle the payments and return a payment status. Am I understanding this correctly? Am I missing anything? Am I completely off base and risking alot? Thanks guys... P.S. if there's any consultants out there that are very good and have experience in this field, and are from the U.S. feel free to get in touch, I do pay. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted October 4, 2012 Share Posted October 4, 2012 You could just accept google checkout or something, that would solve your problem immediately. Consider this: Server D has two APIs: 1) Establish session 2) Accept payment information This is how it would work: 1) Servers A, B, and C are about ready to take a customer's payment. They submit a server-to-server call to API 1, "Establish Session", with the username and the domain name of the site. 2) Server A/B/C print a form to the client containing this session ID, which POSTS to server D 3) Customer fills in billing information, including card number and CVV. 4) Customer clicks submit. Data is posted securely to server D (the only server which needs an SSL certificate). 5) Server D accepts the payments, processes them, assigns the payment to the account, and redirects the user back to server A/B/C based on the server identifier found in the session. 6) The customer never realizes they've hit server D unless they were watching their network traffic. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.