Skip navigation
Currently Being Moderated

php credit card processing

Jul 12, 2010 11:13 AM

My merchant account company is raising my rates and making me buy new software. I am looking for a different solution and anyone familiar with credit card processing may be able to give me some good advice.

 

Up until now, I used software that I installed on my computer that would enable me to process transactions over the Internet. My question is: When someone gives me a credit card number, can I process credit cards using a secure page coded with php? I have a dedicated IP, I can get an SSL certificate, and I can sign up with a credit card gateway like Authorize.net. Why would I need a merchant account (who will charge me a percentage of everything I make)?

 

There are a number of good php credit card processing scripts available. Can I bypass the merchant account company using a php page that will process my credit cards?

 
Replies
  • Currently Being Moderated
    Oct 5, 2010 8:47 AM   in reply to J Cellini

    Hi

     

    Using php to collect and encrypt credit card details and store them in a database using ssl is relatively simple and requires less than one page of php code, (A4, not minimized). The problems arise in your final decision of where to process the payment, as every one of them is different, (some major, others only require a simple line of code to be changed).

     

    Unless you really need to, try and avoid the ones that require a visa/mastercard 'secure pay' form of payment, as these will require extensive programming initially to set-up. The simplest is obviously paypals service with ipn, which can be 'scripted' in a few hours at most, providing you already have the database set-up and an ssl connection and folder, others such as a bank merchant account can require much more.

     

    What ever happens do not apply the ssl certificate to your entire server but just the folder/section that requires it.

    The other item to watch is that the use you indicate is what is know as a 'card not present' transaction, and many card processing providers do not allow this.

     

    PZ

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 14, 2010 6:28 AM   in reply to J Cellini

    Hi John

     

    The php code and the process are tightly related when it comes to processing your own credit card transactions and then passing them on for payment authorisation.

     

    All the items must be done on secure server section of site, and will depend on if you wish to create a user account or not, this is for the non-user account

     

    1. Customer fills in Their details on order form, (Name address, credit card info, etc.)
    2. Details stored in temp database for such transactions via a php back-end script, using encryption for credit card details.
    3. Customer is then shown a confirm page, with the details of the order, only the last four digits of the credit card number are shown.
    4. If the user clicks 'place order' another back-end php script transfers the details to a permanent database and send the details for transaction conformation to your credit card authorization gateway.
    5. Payment status sent to another back-end processing script for completion of transaction, this is often done via ipn or similar system.
    6. Confirm payment and details are displayed to the customer, along with your transaction number, (this one may be omitted) and customer order no.

     

    That's basically the procedure, the scripts can be on the same page using functions, or separate scripts if using procedural code. There are obviously many variations on this procedure but this one is probably the most common.

     

    The use of  'secure pay' adds another two steps to this procedure in that the customer is sent to their card providers site for a second step to the authentication. There they must give a user name and password, (previously agreed and confirmed, if not it gets more complicated) in order to confirm that they are the card holder, before the actual card transaction can continue. To give you some idea of the complexity of the 'secure pay' set-up, the general extra cost can range anywhere between $1000 and $3000, (depending if done within web site development budget, or as an extra) converting from U/K £ to $.

     

    BTW, The secure pay is normally used by bank card processing, these used to be know as 'Merchant Accounts', but paypal and others started using this term for their accounts which complicated the issue, the bank processing is what I am referring to with this term, and the fact that visa and mastercard use a different processing procedure is why I say, 'avoid'.

     

    (Sorry if this explanation is a little long, but once you go outside the standard card processing, it does get more complex).

     

    I came across a web site (hotscripts.com) and found some PHP scripts that

    process credit cards.

     

    Unless you are happy adding extra security checks to the code to validate your site is the one using it, try to avoid any scripts that are 'in the public domain'. This is not said with any prejudice or doubt regarding the code, more that once you process your own credit cards you become completely responsible, (legally) for any fraud or misuse that results from your scripts/site.

     

    One other item is that I would recommend using PHP:PDO with MySQL transactions and bound-parameters/stored procedures for this, mainly because they adds extra levels of security and redundancy to the procedure, which is not possible using the standard php/mysql code.

     

    Hope this clears a few details up.

     

    Paula Z

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 14, 2010 6:38 AM   in reply to pziecina

    Hi John

     

    Just as an extra to my previous post, paypal/google and other processing gateways that can do all the card processing, have to incorporate the 'secure pay' options for processing within the next 4 years, (was originally one year) so expect to have to incorporate this at some time in the future if you do your own. I suspect that the procedure will become much simpler and unified within that time though, reducing the time/cost by at least 50%.

     

    Paula Z

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 30, 2010 11:50 AM   in reply to J Cellini

    Hi!

     

    I recently created a blog post on this topic:

    http://www.propellingsolutions.com/2010/07/how-to-process-credit-cards -in-flex-and-air-applications/

     

    If you're looking for an Air Application that processes credit cards, I don't think there is one.  That'd be a neat startup in its own right.

     

    The big issue is PCI compliance.  You can no longer just create a php/air/flex/whatever application and start taking people's credit card information.  First you have to build the system, then you have to pay for an expensive audit ($8,000 at minimum), and from there you have to become compliant if you're not already... it's an expensive process.

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 31, 2010 5:48 AM   in reply to AlexCook

    Hi John

     

    This is in addition to what Alex has written, just to add a little more info for those interested.

     

    Alex Cook, is correct about PCI compliance, (although I thought the date for compliance had been 'put-back' a few years) but only if you are doing the complete transaction service yourself, and not through a merchant account. But, and this is a big BUT, you are still required to be compliant on your side of the service, (remember Secure Pay and the $3000), your merchant service should do the rest of this for you though,

     

    Another thing that I forgot to mention - You must also register, and comply with any data protection legislations for the country that you trade from, and comply with any legislation for other country's that you trade with.

     

     

    Paila Z

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 6:24 AM   in reply to J Cellini

    .hey john

    i was looking to get the same solution as you and read your thread. i understood it doesnt woerst it.

    wanted to get an advise from you about how you gonna do it. google checkout? what is the best and most efficent way to do it?

    thanks.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 8:43 AM   in reply to J Cellini

    Hi John...

     

    First - Never, ever, under any circumstances store consumer credit card data in your database. Period. In a shared host environment there is no way to adequately secure it and doing so exposes you, or your client to real legal and liability issues.

     

    Here's a blog post on the tiopic: http://blog.cartweaver.com/index.cfm?newsid=13

     

    You'll notice that this is a fairly old post, and this issue hasn't gotten any less critical.  In fact - note to self "do an updated post on this" - because even a "hold harmless" agreement from the client won't adequately protect you any more. So, just don't do it.

     

    As for gateways - I'd recommend one of the dedicated true real-time processors (frankly I don't think highly of either PayPal Web Payments Pro or Google Check-out, both are "hybrids" that serve to promote their brand on your store - not a truly professional approach)  I would recommend one that is reputable and truly operates in real time and transparently like Authorize Net, PayPal PayFlow Pro, or LinkPoint.

     

    Hope this helps. If you have any other or specific questions let me know I'd be happy to help.

     

    --   
    Lawrence Cramer   *Adobe Community Professional*
    www.Cartweaver.com
    Complete Shopping   Cart Application for
    Dreamweaver, available in PHP and CF

     

     

    Stay updated - Friend, Follow, and Bookmark!
    http://www.twitter.com/Cartweaver

    http://blog.cartweaver.com
    http://www.cartweaver.com/facebook

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 10:40 AM   in reply to J Cellini

    Hi John

    But there a lot of companies (like goDaddy, hosting companies, cell phone companies, etc.) that keep a credit card on

    file and automatically charge it every payment period.

    One interesting statistic on this is that it is estimated that this is how over 60%+, of credit card details are acquired for illegal use, (from cards that are not stolen).

     

    As for the security, the database must be housed in a secure and fire proof location, and have access restricted via extensive security measures, (think similar to a bank vault, and you are not far from the truth).

     

    Access to the database must be restricted and secure, (complete definition is some-what 'open').

     

    The 'openness' of the definitions always leaves the holder of the information/database responsible for any and all losses/misuse of information.

     

    I know that did nor make the situation clear, but as I tell clients regarding this, it is worded so as to make them responsible for just about anything they or the staff employed by them, may do regarding the information. One interesting feature of the rules and regulations is that most governments and many banks are exempt.

     

    Paula Z

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 11:18 AM   in reply to J Cellini

    Hi John

     

    Yes, but once you have access to the database you also have access to the encryption method. and often the code used to create it on larger databases. Stored procedures and transactions are stored on the database, (so much for my 'more secure'), They actually are, as you must have access to the database server in order to access them, this is just one reason why the database server for such information is regarded as something that must be separate and not shared in any way with the normal 'open' to the public hosted http/shared-database servers.

     

    Paula Z

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 11:21 AM   in reply to J Cellini

    how is cartweaver better than other 3rd party shoping cart?

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 12:31 PM   in reply to J Cellini

    Hi John

     

    Could hackers retrieve the encryption method for passwords and hack into your account?

     

    If you remember or have read a few of the reply's I have posted regarding 3rd party and/or open source software, then you now know why I always say 'use with caution'.

     

    Paula Z

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 1:34 PM   in reply to J Cellini

    got it. i will probobly will end getting cartweaver my self. after all ive been looking in this forum and others i got to the conclusion that if you take the parameters here are time,profetionality,convinient and security. if im trying to put all the info i got togethor i will probobly will end up getting the cartweaver. just not sure yet about the payment proccess. is authorize.net work good international outside of the states?

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 3:13 PM   in reply to netartdesign

    Authorize Net can take orders from other countries no problem, we get orders from all over the world. Now if you are in another country, like the UK or somewhere in the EU then you may need to see what is available to work with your local merchant accounts.  So depending on your location it may take a little research to come up with the best solution.

     

    For the US, while we have developed intigrations with many payment gateways Authorize Net is about my favorite. They are very relible, have copetative rates and also have one of the best fraud prevention suites around.

     

    Lawrence Cramer   *Adobe Community Professional*
    www.Cartweaver.com
    Complete Shopping   Cart Application for
    Dreamweaver, available in PHP and CF

     

    Stay updated - http://blog.cartweaver.com

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 3:17 PM   in reply to Lawrence_Cramer

    ok

    thanks for the help

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2010 4:05 PM   in reply to netartdesign

    I avoid doing much "horn blowing" on this forum, it's not a place to sell. If you'd like a bit more info feel free to pop me an e-mail directly at:  lawrence  at  Cartweaver dot com I'll be happy to answer any questions you have.

     

    Lawrence Cramer   *Adobe Community Professional*
    www.Cartweaver.com
    Complete Shopping   Cart Application for
    Dreamweaver, available in ASP, PHP and CF

     

    Stay updated - http://blog.cartweaver.com

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 3, 2010 5:49 AM   in reply to netartdesign

    Hi

     

    First, sorry John for hijacking this thread.

     

    Netartdesign -

     

    Continuing from the discussion in the dreamweaver general forum, and your questions both here and in that discussion - I have heard many good recommendations for cartweaver, but I have never used the product myself so how it compares to products such as ecart from webassist, (http://www.webassist.com/dreamweaver-extensions/ecart/) I do not know, (if someone wishes to send me a copy for evaluation  ) but as I am based in the U/K and much of my work is in the US, I would point out that the Authorize.net payment system does not have as good a reputation in the U/K and Europe as it does in the US. From what I have heard there is a 'more than normal' delay with you receiving the payments into your account, but how this compares to services such as paypal I do not know.

     

    That said, even when you go through the more advanced merchant accounts that are set-up via your bank in the U/K, the problems are rarely worth the extra effort unless you are expecting an annual turnover in excess of £100,000.00p. (approx = $155,000.00). The main form of on-line payment and most recognized in the U/K and Europe is, (unfortunately) still paypal.

     

    Paula Z

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 5, 2010 4:51 PM   in reply to J Cellini

    unless your running a pci compliant dedicated server for that one website... you are not suppose to be storing any credit card information.  i recommend using a gateway service approved by the merchant account with a virtual terminal and documented api to hook into via any programming language, including php.  best of luck

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points