vmtech — 2011-04-06T12:08:41-04:00 — #1
I have a client that received rental information via a form on their web site. It gets all the basic information and credit card to reserve the reservation on. What is the best and easiest way to secure the information?
The client is extremely non-technical, anything beyond receiving an email is too much for her. She recently purchased an SSL through her host, Bluehost, and now wants the reservation and contact forms to be secure through it.
The past hour of reading on here and elsewhere mainly recommends using a PHP database, PayPal, or some other shopping cart options. Like a lot of companies though, this one is struggling and can't spend more funds on this.
Please give me suggestions, or how to integrate PayPal into the existing form would be great. Thanks.
ted_s — 2011-04-06T12:35:50-04:00 — #2
It sounds like you need to customize an order process with a very simple cart that has a nice checkout process you can adjust. Depending on what's being booked (i.e. hotel rooms vs rental cars) there may be some scripts that come a step closer.
What's essential here is that you understand you can not store credit card numbers (you aren't going to become PCI level 1 compliant for a customer worried about the cost of her cart), you can not email them, you can not put them in a database. Once they hit your payment provider that should be the last you see of them and any authorization of the charge should happen via confirming the authorization.
PayPal integration for those that want to forgo traditional merchant accounts, or just offer an alternative, is very common place and of course easier for security as the transaction happens off-site (this can however impact conversion rates). Almost all shopping carts support paypal and paypal has it's own simple ordering script which may suffice for a reservation -- the site would pass some critical details like the length of the visit, the property, whatever, and the user would do the rest on paypal's payment form.
contentsynergy — 2011-04-17T01:38:46-04:00 — #3
I think you need to go even simpler - think Wufoo for example. Hosted form, hosted solution. No matter what they have on their own server, if they have no technical skills if it gets hacked they are SOL.
Bluehost also offers iPayment (its on their cPanel BTW), which allows clients to accept payments online without needing to build out any code. Heck, you can even get a shopsite cart through your BlueHost account.
samdean — 2011-04-19T17:32:17-04:00 — #4
A credit card will not be denied if the address is entered wrong, it is up to the merchant to decide what to do if the address only matches partially or not at all. You can deny the sale, or require the buyer submit additional information, or give them the opportunity to correct the address information, before processor the transaction.
ted_s — 2011-04-19T18:04:37-04:00 — #5
How does that relate to the topic at hand? Are you suggesting they need a closer look at information before processing orders?
fergal — 2011-04-20T12:02:44-04:00 — #6
Perhaps 2Checkout.com would be worth a look.
p2409 — 2011-04-24T11:57:55-04:00 — #7
Given the client is clueless, and has no money one possibility might be to simply store the data in a flat file after it's HTTPS collected, and write PHP code to encrypt/decrypt the flat files (with the right extra encryption module loaded in - your hoster may have it). An alternative to Paypal or the other DIY payment systems mentioned.
I don't understand why people go into business but can't face spending a few hundred dollars on things like a decent payment or ordering system - even the free stuff like oscommerce is great for basic shopping. If she can't bear to spend a little on a site, I'd advise her get out of the online component of her business for the time being and focus just on the 'real-world' side of things.
ted_s — 2011-04-24T15:55:18-04:00 — #8
Credit Card numbers can not be stored and transfered with simple encryption. To store numbers you would have to go through a PCI compliance process and review -- far more expensive than integrating a third party.
Even many companies with a high level PCI complaince don't store numbers. It's risking your business whether it's from hackers or just a rogue employee.
sagewing — 2011-04-24T17:15:57-04:00 — #9
This is the biggest red flag warning I've seen in a while. I would make a recommendation for a very established, safe vendor who can handle their business entirely (i.e. PayPal type of thing) and then stay as far away from this as you possibly can.