I have a client who has a product and I’m tasked to create a landing page to promote this. The client is now asking me to create an order form that will take the user’s name, address, (shipping, billing), email and credit card, coupon code, etc. I said we should use paypal/authorize.net/formsite or something to take these info esp. the credit card but she just wants it sent to her email and that way she can process the info manually and let it go through the call center. I have a feeling this goes against PCI security standards.
Is it okay to have users enter their credit card info on this site and just send it to her email? What should I do?
I think this thread has run it’s course - the OP obviously either got the answer he wanted or found it elsewhere. Since he hasn’t come back in over a month, THREAD CLOSED
You need to inform her that she’s going to be legally liable if those credit card numbers are compromised. CC info needs to be contained completely securely throughout the lifecycle.
Clients used to request this 10 years ago, cant believe that some are still doing it.
Alicia
I would advise her she is opening herself to potential legal issues because email is an insecure medium.
It does.
Is it okay to have users enter their credit card info on this site and just send it to her email? What should I do?
Heck no. email is inherently insecure. Set up a proper payment gateway.
If you are still unable to convince the client, then decline the job. Ultimately, the legal responsibility would fall to you if something should happen. It’s not something you really want to be liable for.
Here are a few other threads on similar topics, which may offer some insight and advice:
http://www.sitepoint.com/forums/php-34/securely-sending-credit-card-information-741290.html
http://www.sitepoint.com/forums/ecommerce-5/pci-compliance-when-not-storing-credit-cards-680615.html