i have a shopping cart site i'm building.

i have ssl and not sure how to structure it.

currently the whole site is in one folder without ssl usingworldpay payment gateway, but we're moving to process our own payments.

WE HAVE ONE db WITH BOTH THE PRODUCT CATALOUGE IN AND THE ORDER INFO. (oops caps lock on!!)

right. so do i need to split the DB and put the order info part of it on the SSL and also the checkout pages??

so.. i keep the database as is.... not in the SSL.. put the checkout page (with CC number) in the SSL and also the page that admin has to get the order/cc details??

sorry.. but i'm dumb!

Couple of things to mention...

SSL encrypts everything that gets transmitted as a result, performance suffers so most sites have you browse and select items in a non-secured area and use use a separate section/sub domain for placing the order under ssl.

When you change between the non-secured portion of your site (http:\\) to the secured portion (https:\\), you start a new session. Any session cookies are lost.

my questions is...

do i need to have the database (that stores the credit card details) in the ssl folder also, or just the page that gets the card number?

and if it's just the checkout page, then can i send the results to an email address then instead of DB??

the best way to structure shopping cart with SSL facility is...to store all the items in a cart in a database temporary and not in session cookies or something.. this way u will not lose any thing when the browser switches from http to https

secondly have a completely seprate page for CC info... use ssl on for that page only..

u may also want all shoppers to register first if u r storing the cart items in a database and not in session cookie or cookies

You need to check that your by law allowed to store credit cards on a database.  There are certain terms and conditions you need to abide by before you can do something like that

The easiest way is to hire a third party, then all the responsibility is placed upon them.

As someone who had his credit card lifted off of the server of a site selling CD's, I'm a big advocate of not keeping cc info at all.

I don't believe there's ever been an instance of someone lifting credit card info while it was in transit over an ssl/vpn connection. But there's beed a lot of instances where someone lifted a few thousand from a db.

FWIW, most of the larger outfits run their DB's behind a DMZ. An exposed web server passes a request along a specific port to an app server bedind a dmz. The app server passes it along to a db server within the dmz. If confidential personal info is involved - e.g. medical, ssn, or cc info, there's usually another dmz that has yet another db server behind it for that info. The two db servers talk to each other over non-standard ports, often using specific process id's that are set at boot time.

ok then... all this is understandable.. but please.. i'm new to all this so need to know what to do....!

if i have a page in the ssl that takes the users credit card and emails it to the company processing the order, using cdonts will that work and will it be secure??

same indivisual doesnt make onlines purchaes everyday from ur site nither any near frequently....so why fell in mess by storing CC number.. just let the user enter it each time they make a purchase. bet the idential user just makes a purches once in a year from ur site..

BTW...CC number in email.. thats the most silly thing to think off

ok then - funny man!! i'm asking for help here and you're just taking the piss?!?!?

what do i do then???

my customer wants to process the credit card transaction himself thru his point of sale machine in his shop. he needs to get teh cc number from the website how can he do it then?

you're saying not to store the cc in the DB. so, being obviously not as knowledgable as your greatness(!!!) i suggested email.. look - i made it clear at the beginning of this post that i don't know.. that's why i'm posting for help..

someone mentioned visa requirements - do you have a link?

i've looked on the visa site and can't find it

thanks in advnace

You can also encrypt the email as well The server and the recipient each have a key. I'd use a VPN between the server and the customer in this case, but you need to be aware of where the email may be stored before the customer gets it and secure that area as well. some *nix distributions support an encrypted file system. Also, don't forget that most hosts make backups that aren't anywhere near as secure as the online disks.

The customers PC in this instance would also require some sort of physical and technological security.

This whole scenario is why I drop cash every year on business insurance that covers errors and omissions. CC processing isn't something you want to get into until you've done a lot of research.

The bottom line is that you have to weigh your potential risk (lawsuit from the customer to recover any losses) against the cost and effort of offloading that risk either through a larger investment in security, insurance. or by contracting with a third party cc handler.

Gullanian wrote: Just hire a third party CC processor

I think this is the best thing to do, since you aren't responsible for the stuff. Besides, sending CC information using e-mail isn't smart at all, not even when using encryption, since all cryptography methods can (and will) be cracked either by hackers or the US gov.

big thanks to all... especially GOD_STRUTH your post was the clearest for me!!

i think i should speak with the client to go do the route of worldpay - even thought we've already paid for the SSL extra!! nevere mind.. best be safe than sorry!!

and on that encryption point.... maybe that's why the us gov doesn't allow better encryption than 1024bit??? food for thought.....

i will suggest u a best thing..

hook the POS machine to the webserver.. these days i belive the POS machine softwares provies API's and stuff which will let u call machine functions and transfer data using VB, C++ or ASP..

Hi All,

First of all nobody needs to buy a certificate as the Microsoft site offers a download, which contains a utility called selfSSL which when run will enable your server for SSL. So a standard Windows XP Pro or Windows 2000 Pro with IIS can run SSL and serve up SSL webpages.

To prove it is possible check this URL https://www.osstyn.no-ip.com - https://www.osstyn.no-ip.com

it will also respond under http://www.osstyn.no-ip.com - http://www.osstyn.no-ip.com when building a site you decide when to use HTTPS, but as explained there is some overhead as the info traveling from the server to the client is shielded (not encrypted) SSL creates a private tunnel but does not encrypt anything, this takes a little longer so there is a perfomance hit. Therefore, I only do the transactions pages via SSL. Thats about it. Most clearing houses will demand this anyways when using their CC processors, you need to be able to send the request form an SSL enabled server, their end will check the IP of the incoming request, the protocol used and sometimes they use proprietary keys on top of that which you manage through some kind of back end solution they offer their clients. This type of back-end can be programmed in Vb to be run as server component which you can call from any asp page. This also means you can transact the server component so you can roll back transactions where necessary, when you use this in conjunction with MS SQL 2000 DB, which can also roll back transations on the database server where necessary you will have a professioanl and secure system and fail prove transactional system. The web server component is run under a certain NT account which is hidden in the compiled code of the server component as is its connection string to the database, therefore, this is a safe as it gets. This will however require extensive rpogramming to get the back-end right. A lot also depnds on what the credit card porcessor interface can do in terms of transactions, see below for more info.

Once you have implemented the certificate like this which is done automatically you will have an SSL enabled machine a domain is not necessary for testing just go https://your - https://your public IP or https://localhost - https://localhost tot test if SSL is working. Once you have done this open the IIS admin MMC and right click the properties of your default site. You will see SSL is now enbled on the standard port 443 for this protocol.

When we think about your implementation all thats is needed is to link or use pages using SSL for the ones which do the transactions  This will result in the user being warned that they are changing to a secure site and the padlock will contain your SSL info.

The fact that session cannot be shared is not a problem as you can pass all relevant information via the url like form the basket go to payment page with something like this https://yourdoman/transaction.asp?amount=1000&currency=p ound&userrID=2D - https://yourdoman/transaction.asp?amount=1000&currency=p ound&userrID=2

This will allow you to bypass any session problems as you are passing around the variables needed by the transactional web page. The same thing is true when coming back with a response from the SSl pages to the success or payment priocessed page.

There are a lot of service providers out there, which will offer you facilites to make on-line payments they all work slightly different and support differnt types of transactions, currencies and banks and charge differnt rates and comissions .

In the case you sell products the law says (distant selling act) that you can only charge a customer once the goods have been delivered. This means your clearing house needs to support reservation on credit cards, which you capture later with a different transaction once the goods have been shipped. Which leads to all following possible types of credit card transactions you could implement:

• Refund
• Reservation
• Capture reservation
• Annulation reservation
• Patial Capture
• Query staus of transaction
• ....

Too long to explain here. Depending on the server technology you use and the tools you need you will have to search for an appropiate provider you can use. This also solves the problem of storing credit card numbers. As you do not need to do this unless you want to have this available in a profiling function so the user dont have to type it, again this is not a good idea as it is a securtiy issue to store this type of info, all this info needs to comply with the Data Protection Act anyways. Stay away from this else you will have to write a server componenet to access the database storing this info so you can secure it better.

The credit card processors have each a certain number of banks and currencies they support in terms of the acquiring banks they support and the type of extra security checks you can do like address and CCV verification to even further secure the transactions. Modern ones see for example http://www.ogone.be - www.ogone.be support XMl and sends responses back in XML, which makes this into a nice B2B solution you can use to charge your customers credit cards.
However, if your selling products you will have to do this as you will need to run automated scripts angainst what has been delivered to capture the amounts on the credit cards your reserved before. This is something you need to run against the database table of things which have been delivered. I have build very complex billing systems for hotspots and could offer you a server component, which works with the Ogone interface, I alos have one for the Barclays E-PDQ product, but you will need a merchant account with a bank which is supported and then an account with them all this is not cheap and will demand a lot of work to get it right. Depending on the average amount the cutomers pay you might also opt for some kind of micro payment solution. Such as PayPal and others, which are more simple in terms of their implemetations but therefore also limited in terms of what they can do for you.

Ps. If you have a Server 2003 Entreprise set up somewhere you could enable certification services and create a certificate this way, a little bit longer to explain how to this, but it is possible again it is too long to explain here.

If you need more info skype me (see http://www.skype.com - www.skype.com ) send me a text message first please my user account on skype is charelke.

I am a specialist in back end integration and can write the whole thing for you in VB and SQL using stored procdures ....., let me know if you need help.

Cheers

Charlie

My contact details see https://www.osstyn.no-ip.com - https://www.osstyn.no-ip.com i am not a dsigner so dont expect fancy graphics, ...