how to use SSL ??

ok then - funny man!! i'm asking for help here and you're just taking the piss?!?!?

what do i do then???

my customer wants to process the credit card transaction himself thru his point of sale machine in his shop. he needs to get teh cc number from the website how can he do it then?

you're saying not to store the cc in the DB. so, being obviously not as knowledgable as your greatness(!!!) i suggested email.. look - i made it clear at the beginning of this post that i don't know.. that's why i'm posting for help..

Here you go.
http://www.usa.visa.com/business/merchants/cisp_index.html?i t=h2_/index.html

You can also encrypt the email as well The server and the recipient each have a key. I'd use a VPN between the server and the customer in this case, but you need to be aware of where the email may be stored before the customer gets it and secure that area as well. some *nix distributions support an encrypted file system. Also, don't forget that most hosts make backups that aren't anywhere near as secure as the online disks.

The customers PC in this instance would also require some sort of physical and technological security.

This whole scenario is why I drop cash every year on business insurance that covers errors and omissions. CC processing isn't something you want to get into until you've done a lot of research.

The bottom line is that you have to weigh your potential risk (lawsuit from the customer to recover any losses) against the cost and effort of offloading that risk either through a larger investment in security, insurance. or by contracting with a third party cc handler.

dizzyfunk wrote: i suggested email.. look - i made it clear at the beginning of this post that i don't know.. that's why i'm posting for help..

Don't use email, plain and simple. Even trying to encrypt etc is not a fail safe way to go. Rule this out and ensure your customer knows its not a viable option.

What sort of databse are you going/thinking of using?

If its access then you would have to ensure its in a secure directory, maybe also password protect the database itself.

If its SQL server then that may well be a different story all together as its far more secure.

Either way, the only other files you need to protect are the login and the processing + collection pages, everything else can be outside the https:.

(Do you have a certificate to enable https: on your server/site? Verisign or Thawte for the digital cert.. )


My personal preference would be to use a third party like Worldpay or paypal unless it was essential to do it myself.

The main reason being, as has already been mentioned, is the possibility of fraud. YOU can/could/would be held liable if your 'system' had a flaw and someone got the CC numbers, you could be talking a hell of a lot of money if you got stung.


The easy way out would be to tell the customer that you don't do that field of web technology, tell them its a specialist area requiring someone with comprehensive knowledge of Secure Web Services.

Course I am joking, but unless you kow what your doing things could get sticky if you feck things up