Hi All,
First of all nobody needs to buy a certificate as the Microsoft site offers a download, which contains a utility called selfSSL which when run will enable your server for SSL. So a standard Windows XP Pro or Windows 2000 Pro with IIS can run SSL and serve up SSL webpages.
To prove it is possible check this URL https://www.osstyn.no-ip.com
it will also respond under http://www.osstyn.no-ip.com when building a site you decide when to use HTTPS, but as explained there is some overhead as the info traveling from the server to the client is shielded (not encrypted) SSL creates a private tunnel but does not encrypt anything, this takes a little longer so there is a perfomance hit. Therefore, I only do the transactions pages via SSL. Thats about it. Most clearing houses will demand this anyways when using their CC processors, you need to be able to send the request form an SSL enabled server, their end will check the IP of the incoming request, the protocol used and sometimes they use proprietary keys on top of that which you manage through some kind of back end solution they offer their clients. This type of back-end can be programmed in Vb to be run as server component which you can call from any asp page. This also means you can transact the server component so you can roll back transactions where necessary, when you use this in conjunction with MS SQL 2000 DB, which can also roll back transations on the database server where necessary you will have a professioanl and secure system and fail prove transactional system. The web server component is run under a certain NT account which is hidden in the compiled code of the server component as is its connection string to the database, therefore, this is a safe as it gets. This will however require extensive rpogramming to get the back-end right. A lot also depnds on what the credit card porcessor interface can do in terms of transactions, see below for more info.
Once you have implemented the certificate like this which is done automatically you will have an SSL enabled machine a domain is not necessary for testing just go https://your public IP or https://localhost tot test if SSL is working. Once you have done this open the IIS admin MMC and right click the properties of your default site. You will see SSL is now enbled on the standard port 443 for this protocol.
When we think about your implementation all thats is needed is to link or use pages using SSL for the ones which do the transactions This will result in the user being warned that they are changing to a secure site and the padlock will contain your SSL info.
The fact that session cannot be shared is not a problem as you can pass all relevant information via the url like form the basket go to payment page with something like this https://yourdoman/transaction.asp?amount=1000¤cy=p ound&userrID=2
This will allow you to bypass any session problems as you are passing around the variables needed by the transactional web page. The same thing is true when coming back with a response from the SSl pages to the success or payment priocessed page.
There are a lot of service providers out there, which will offer you facilites to make on-line payments they all work slightly different and support differnt types of transactions, currencies and banks and charge differnt rates and comissions .
In the case you sell products the law says (distant selling act) that you can only charge a customer once the goods have been delivered. This means your clearing house needs to support reservation on credit cards, which you capture later with a different transaction once the goods have been shipped. Which leads to all following possible types of credit card transactions you could implement:
- Refund
- Reservation
- Capture reservation
- Annulation reservation
- Patial Capture
- Query staus of transaction
- ....
Too long to explain here. Depending on the server technology you use and the tools you need you will have to search for an appropiate provider you can use. This also solves the problem of storing credit card numbers. As you do not need to do this unless you want to have this available in a profiling function so the user dont have to type it, again this is not a good idea as it is a securtiy issue to store this type of info, all this info needs to comply with the Data Protection Act anyways. Stay away from this else you will have to write a server componenet to access the database storing this info so you can secure it better.
The credit card processors have each a certain number of banks and currencies they support in terms of the acquiring banks they support and the type of extra security checks you can do like address and CCV verification to even further secure the transactions. Modern ones see for example www.ogone.be support XMl and sends responses back in XML, which makes this into a nice B2B solution you can use to charge your customers credit cards.
However, if your selling products you will have to do this as you will need to run automated scripts angainst what has been delivered to capture the amounts on the credit cards your reserved before. This is something you need to run against the database table of things which have been delivered. I have build very complex billing systems for hotspots and could offer you a server component, which works with the Ogone interface, I alos have one for the Barclays E-PDQ product, but you will need a merchant account with a bank which is supported and then an account with them all this is not cheap and will demand a lot of work to get it right. Depending on the average amount the cutomers pay you might also opt for some kind of micro payment solution. Such as PayPal and others, which are more simple in terms of their implemetations but therefore also limited in terms of what they can do for you.
Ps. If you have a Server 2003 Entreprise set up somewhere you could enable certification services and create a certificate this way, a little bit longer to explain how to this, but it is possible again it is too long to explain here.
If you need more info skype me (see www.skype.com) send me a text message first please my user account on skype is charelke.
I am a specialist in back end integration and can write the whole thing for you in VB and SQL using stored procdures ....., let me know if you need help.
Cheers
Charlie
My contact details see https://www.osstyn.no-ip.com i am not a dsigner so dont expect fancy graphics, ... 
Edited by charelke
Topic Options
Post Options
Thanks(0)
Gullanian wrote:
