Security Question: Accepting orders ONLINE but processing the payment OFFLINE...

Discussion in 'Web Design and Development' started by h0kie99, Aug 8, 2006.

  1. h0kie99 macrumors member

    Joined:
    Jul 31, 2004
    Location:
    VA
    #1
    A client of ours currently uses VeriSign for online credit card processing. Works just fine. The client now wants to eliminate online payment processing by accepting the customer's billing info (including full credit card number) via a secure web form and then processing the payment using their credit card machine in the office. I am not a security expert -- I leave that up to my programmers -- but I am immediately concerned that any options we have here are not completely secure. Of course I am going to talk to the programmers about it (when they get in later today) but I am looking for some of your advice as well. Why would we take VeriSign OUT of the process?? Please help me understand what (if any) secure options there are out there: storing info in a database (legal??), e-mailing the info to the client (completely non-secure??), etc.

    THANKS!
     
  2. reh macrumors 6502a

    Joined:
    Oct 24, 2003
    Location:
    Arkansas
    #2
    If you run too many card numbers through your machine without the card, you're likely to get a hold or two placed on your account for a while. It happened to a race I used to work with that accepted entry forms via fax.
     
  3. savar macrumors 68000

    savar

    Joined:
    Jun 6, 2003
    Location:
    District of Columbia
    #3
    Why? To save money? Maybe you want to suggest a cheaper solution like PayPal Payments Pro ($20/mo.).

    Are you saying they want to print out peoples names and credit card numbers and then enter them manually? Whenever people enter the equation, security drops drastically -- even more so if you're converting this data to any sort of hard output. Are those documents going to be shredded afterwards? It sounds like a terrible idea to me.
     
  4. ChicoWeb macrumors 65816

    ChicoWeb

    Joined:
    Aug 16, 2004
    Location:
    California
    #4
    You are asking for trouble.

    It all depends on how that information gets to the client. If it goes through email, forget it. They are breaking every law in the book and are asking for a lawsuit. The only way a professional business should accept payment online is through a secure gateway, accept the CC and not store any info. Would you want your CC info going through peoples email??

    It's practices like this that really scare me sometimes when I use my CC online. Just make sure you tell them over and over again that this is 100% against your professional opionion so you are not liable. I might even take it a step futher and make them sign off on something. They might cliam "They didn't know" our web designer handles that.
     

Share This Page