bimalpoudel — 2011-08-24T05:21:18-04:00 — #1
How do I store the credit card information safely and auto bill the customers?
In one of the projects, I need to collect payments in a monthly schedule, by charging the credit cards automatically. It will be a PHP script.
How can I perform auto billing? What should I consider?
eldad — 2011-08-24T07:38:25-04:00 — #2
If you are a small business the best practice today is to not store CC information at all. Instead use a payment gateway that is certificated, regulated and secure.
If this is not an option, CC information should be stored encrypted. This means that hacking into your application, web server or database without knowing your private key will not compromise any card data.
You should make sure that on it's path to the DB, the CC numbers leave no traces in logs or any other persistent storage.
This, of course, is in very high level. There is a lot around how to setup the DB encryption, how to manage the keys, how to tighten access control and so on. Those are the basics though.
As for the architecture, I would setup two completely separate environments. One is the application that uses a one-way function to encrypt CC data on the way in.
The second system, will pull the CC data from the database, decrypt the numbers and bill customers. This system should be an internal system that cannot be accessed from the outside. It is the only system that has access to the private key and it pulls data from the database (no data is pushed to it). It has to be very secure from all perspectives (network, access controls, passwords, etc.).
Not sure what you mean in:
"How can I perform auto billing?"
bimalpoudel — 2011-08-26T00:40:13-04:00 — #3
Definitely,I am not interested to store the credit cards.
But by Auto billing, I want to devise a system that charges automatically, the some amount to the customer's card. The bills are collected for a month. And it notifies the customer and charge their cards immediately. The payments are likely to vary according to the services that customer uses. Reasons are like, change in the price plans or membership types.
But the customer does not have to enter the details again.
eastcoast — 2011-08-26T14:20:20-04:00 — #4
You can do recurring payments using a payment gateway that has this facility built in e.g paypal web payments pro direct payments api
felgall — 2011-08-26T16:56:18-04:00 — #5
Credit card information is not allowed to be stored on servers connected to the internet. What you would need is for your payment processor provider to provide you with a hashed token value for each credit card number you give them that you store with the customers other info. You then pass them the token during the autobilling and let them match it back to the credit card details on their secure server.
bimalpoudel — 2011-08-27T03:20:59-04:00 — #6
Any further hints on generating the hash? And sending to the gateway?
Plus, how can I CHANGE the "amount to be charged" during each auto billing?
It is not a real recurring payment with fixed amount.
The amount is likely to vary in each auto billing.
felgall — 2011-08-27T03:23:43-04:00 — #7
You need to get the payment gateway provider to generate the hash for you - otherwise they will have no way to use it to extract the credit card details.
bimalpoudel — 2011-08-27T12:46:18-04:00 — #8
Thank you @felgall.
Seems, the specific payment gateway will have all these solved.
After all, it is a matter of data safety and secure communication.
musicperson75 — 2011-09-13T15:08:30-04:00 — #9
authorize.net would be a good payment gateway choice but there are others as well.