26 Replies Latest reply on Aug 5, 2010 4:51 PM by jon@cmiwebstudio

    php credit card processing

    J Cellini Pioneer

      My merchant account company is raising my rates and making me buy new software. I am looking for a different solution and anyone familiar with credit card processing may be able to give me some good advice.


      Up until now, I used software that I installed on my computer that would enable me to process transactions over the Internet. My question is: When someone gives me a credit card number, can I process credit cards using a secure page coded with php? I have a dedicated IP, I can get an SSL certificate, and I can sign up with a credit card gateway like Authorize.net. Why would I need a merchant account (who will charge me a percentage of everything I make)?


      There are a number of good php credit card processing scripts available. Can I bypass the merchant account company using a php page that will process my credit cards?

        • 1. Re: php credit card processing
          pziecina Ninja



          Using php to collect and encrypt credit card details and store them in a database using ssl is relatively simple and requires less than one page of php code, (A4, not minimized). The problems arise in your final decision of where to process the payment, as every one of them is different, (some major, others only require a simple line of code to be changed).


          Unless you really need to, try and avoid the ones that require a visa/mastercard 'secure pay' form of payment, as these will require extensive programming initially to set-up. The simplest is obviously paypals service with ipn, which can be 'scripted' in a few hours at most, providing you already have the database set-up and an ssl connection and folder, others such as a bank merchant account can require much more.


          What ever happens do not apply the ssl certificate to your entire server but just the folder/section that requires it.

          The other item to watch is that the use you indicate is what is know as a 'card not present' transaction, and many card processing providers do not allow this.



          • 2. Re: php credit card processing
            J Cellini Pioneer

            Hi PZ,


            Thanks for responding. I am going to use Google Checkout for now, but my

            question had to do more with the credit card process than the php set up (in

            other words, what is the step-by-step procedure to process a credit card?).

            I came across a web site (hotscripts.com) and found some PHP scripts that

            process credit cards. One in particular was coded to work with

            Authorized.net, which is a gateway. When you go through a merchant account

            company, you usually pay a minimum of $30 or more a month even if you don't

            process a credit card that month. In addition, the merchant account company

            takes 2 to 3 percent of the amount of the sale. But if you use a php script

            to process the credit card, you don't have to pay a merchant account company

            to validate and encrypt your credit card and you can get an account with a

            gateway like Authorized.net or one of the others and pass the credit card

            details directly to the gateway for payment. That means all you need to pay

            is the fees for the gateway which is usually a low fixed monthly rate and a

            low transaction fee (usually something like 10 cents per transaction). There

            is not a percentage taken from the amount of the sale.


            In your response, you referred to "them" as in " every one of them is

            different" and to "the ones" as in "avoid the ones that require a

            visa/mastercard 'secure pay' form of payment." Are you referring to gateway

            accounts? Because that's what I want to do; skip the greedy merchant account

            companies and deal directly with a gateway account. I am trying to figure

            out what exactly the merchant account companies do. It seems that all the

            merchant account company does is to validate and encrypt the credit card

            information and then passes the information to the gateway (sort of acting

            like a reseller). Do I have that right?



            • 3. Re: php credit card processing
              pziecina Ninja

              Hi John


              The php code and the process are tightly related when it comes to processing your own credit card transactions and then passing them on for payment authorisation.


              All the items must be done on secure server section of site, and will depend on if you wish to create a user account or not, this is for the non-user account


              1. Customer fills in Their details on order form, (Name address, credit card info, etc.)
              2. Details stored in temp database for such transactions via a php back-end script, using encryption for credit card details.
              3. Customer is then shown a confirm page, with the details of the order, only the last four digits of the credit card number are shown.
              4. If the user clicks 'place order' another back-end php script transfers the details to a permanent database and send the details for transaction conformation to your credit card authorization gateway.
              5. Payment status sent to another back-end processing script for completion of transaction, this is often done via ipn or similar system.
              6. Confirm payment and details are displayed to the customer, along with your transaction number, (this one may be omitted) and customer order no.


              That's basically the procedure, the scripts can be on the same page using functions, or separate scripts if using procedural code. There are obviously many variations on this procedure but this one is probably the most common.


              The use of  'secure pay' adds another two steps to this procedure in that the customer is sent to their card providers site for a second step to the authentication. There they must give a user name and password, (previously agreed and confirmed, if not it gets more complicated) in order to confirm that they are the card holder, before the actual card transaction can continue. To give you some idea of the complexity of the 'secure pay' set-up, the general extra cost can range anywhere between $1000 and $3000, (depending if done within web site development budget, or as an extra) converting from U/K £ to $.


              BTW, The secure pay is normally used by bank card processing, these used to be know as 'Merchant Accounts', but paypal and others started using this term for their accounts which complicated the issue, the bank processing is what I am referring to with this term, and the fact that visa and mastercard use a different processing procedure is why I say, 'avoid'.


              (Sorry if this explanation is a little long, but once you go outside the standard card processing, it does get more complex).


              I came across a web site (hotscripts.com) and found some PHP scripts that

              process credit cards.


              Unless you are happy adding extra security checks to the code to validate your site is the one using it, try to avoid any scripts that are 'in the public domain'. This is not said with any prejudice or doubt regarding the code, more that once you process your own credit cards you become completely responsible, (legally) for any fraud or misuse that results from your scripts/site.


              One other item is that I would recommend using PHP:PDO with MySQL transactions and bound-parameters/stored procedures for this, mainly because they adds extra levels of security and redundancy to the procedure, which is not possible using the standard php/mysql code.


              Hope this clears a few details up.


              Paula Z

              1 person found this helpful
              • 4. Re: php credit card processing
                pziecina Ninja

                Hi John


                Just as an extra to my previous post, paypal/google and other processing gateways that can do all the card processing, have to incorporate the 'secure pay' options for processing within the next 4 years, (was originally one year) so expect to have to incorporate this at some time in the future if you do your own. I suspect that the procedure will become much simpler and unified within that time though, reducing the time/cost by at least 50%.


                Paula Z

                • 5. Re: php credit card processing
                  J Cellini Pioneer

                  Hi Paula,


                  I have been up against deadlines for the last few days, but I wanted to get back to you to thank you for all the good information you presented. This is a complex topic and you helped clarify many things.


                  In addition to the coding procedures, I wanted to get some idea of the procedure by which the finance people or mechanisms processed credit cards. Here is a response I received from Authorized.net (which may help others who have the same question):


                  "When you take an ecommerce payment there are two accounts you will have to setup.  The payment gateway is the first (Authorize.net) and the merchant account is the second (you will set this up through one of our partners or on your own with your bank for example).  The gateway simply connects to your site to capture the cc information while the merchant account is who contacts the credit card companies for the approval then deposits the funds directly in to your bank account.  See HERE for a diagram."



                  • 6. Re: php credit card processing



                    I recently created a blog post on this topic:

                    http://www.propellingsolutions.com/2010/07/how-to-process-credit-cards-in-flex-and-air-app lications/


                    If you're looking for an Air Application that processes credit cards, I don't think there is one.  That'd be a neat startup in its own right.


                    The big issue is PCI compliance.  You can no longer just create a php/air/flex/whatever application and start taking people's credit card information.  First you have to build the system, then you have to pay for an expensive audit ($8,000 at minimum), and from there you have to become compliant if you're not already... it's an expensive process.

                    • 7. Re: php credit card processing
                      J Cellini Pioneer

                      Hi Alex,


                      Thanks for the response. Your answer hit the target.



                      • 8. Re: php credit card processing
                        pziecina Ninja

                        Hi John


                        This is in addition to what Alex has written, just to add a little more info for those interested.


                        Alex Cook, is correct about PCI compliance, (although I thought the date for compliance had been 'put-back' a few years) but only if you are doing the complete transaction service yourself, and not through a merchant account. But, and this is a big BUT, you are still required to be compliant on your side of the service, (remember Secure Pay and the $3000), your merchant service should do the rest of this for you though,


                        Another thing that I forgot to mention - You must also register, and comply with any data protection legislations for the country that you trade from, and comply with any legislation for other country's that you trade with.



                        Paila Z

                        • 9. Re: php credit card processing
                          J Cellini Pioneer

                          Hi Paula,


                          Well, my original question has certainly been answered: Can we eliminate the

                          merchant account from online selling? The answer is No unless you are

                          prepared to do an enormous amount of work and front a lot of money.


                          I started this post because my merchant account hiked my rates 40%. The good

                          news is that a found a merchant account that is very reasonable and has no

                          negative reviews (and backed by a reputable company).


                          Again, thanks for educating me on this messy business.



                          • 10. Re: php credit card processing
                            netartdesign Newcomer

                            .hey john

                            i was looking to get the same solution as you and read your thread. i understood it doesnt woerst it.

                            wanted to get an advise from you about how you gonna do it. google checkout? what is the best and most efficent way to do it?


                            • 11. Re: php credit card processing
                              Lawrence_Cramer Champion

                              Hi John...


                              First - Never, ever, under any circumstances store consumer credit card data in your database. Period. In a shared host environment there is no way to adequately secure it and doing so exposes you, or your client to real legal and liability issues.


                              Here's a blog post on the tiopic: http://blog.cartweaver.com/index.cfm?newsid=13


                              You'll notice that this is a fairly old post, and this issue hasn't gotten any less critical.  In fact - note to self "do an updated post on this" - because even a "hold harmless" agreement from the client won't adequately protect you any more. So, just don't do it.


                              As for gateways - I'd recommend one of the dedicated true real-time processors (frankly I don't think highly of either PayPal Web Payments Pro or Google Check-out, both are "hybrids" that serve to promote their brand on your store - not a truly professional approach)  I would recommend one that is reputable and truly operates in real time and transparently like Authorize Net, PayPal PayFlow Pro, or LinkPoint.


                              Hope this helps. If you have any other or specific questions let me know I'd be happy to help.


                              Lawrence Cramer   *Adobe Community Professional*
                              Complete Shopping   Cart Application for
                              Dreamweaver, available in PHP and CF



                              Stay updated - Friend, Follow, and Bookmark!


                              • 12. Re: php credit card processing
                                J Cellini Pioneer

                                I was with Elavon through Costco but they raised their rates 40% and

                                required all their customers to buy new software (which I thought was a rip

                                off). I have always been leery of merchant account companies, so I put in a

                                lot of time researching them. After a lot of looking, I came across the

                                merchant account backed by Sam's club. The terms are very good. The nearest

                                Sam's club to me is 30 miles away and I don't think I ever set foot in a

                                Sam's club, but it was worth joining to qualify for the merchant account

                                (actually they gave me a free year membership). I had to do the same with

                                Costco, but the Costco membership (to qualify for the merchant account) cost

                                more. If you send me a private message through the Adobe forum, I will give

                                you more details.

                                • 13. Re: php credit card processing
                                  J Cellini Pioneer



                                  I have always been uncomfortable with keeping credit cards for automatic

                                  payments and never have done it. But there a lot of companies (like goDaddy,

                                  hosting companies, cell phone companies, etc.) that keep a credit card on

                                  file and automatically charge it every payment period. They must store that

                                  information in a database. Do you know how they do it and how they secure

                                  that information? They must have several levels of security.


                                  I use Authorize.net for a few of my clients and it's a good gateway to use

                                  (and like you said a reputable company) especially if you are doing shopping

                                  carts. Most third party shopping carts have software that will easily

                                  integrate with Authorize.net. (I will probably end of purchasing

                                  cartweaver-which I have been looking at a long time.)


                                  Like I stated before, most of my clients pay with a check but a few will

                                  give me a credit card over the phone. In this case, my Sam's club merchant

                                  account works well and is an inexpensive solution.



                                  • 14. Re: php credit card processing
                                    pziecina Ninja

                                    Hi John

                                    But there a lot of companies (like goDaddy, hosting companies, cell phone companies, etc.) that keep a credit card on

                                    file and automatically charge it every payment period.

                                    One interesting statistic on this is that it is estimated that this is how over 60%+, of credit card details are acquired for illegal use, (from cards that are not stolen).


                                    As for the security, the database must be housed in a secure and fire proof location, and have access restricted via extensive security measures, (think similar to a bank vault, and you are not far from the truth).


                                    Access to the database must be restricted and secure, (complete definition is some-what 'open').


                                    The 'openness' of the definitions always leaves the holder of the information/database responsible for any and all losses/misuse of information.


                                    I know that did nor make the situation clear, but as I tell clients regarding this, it is worded so as to make them responsible for just about anything they or the staff employed by them, may do regarding the information. One interesting feature of the rules and regulations is that most governments and many banks are exempt.


                                    Paula Z

                                    • 15. Re: php credit card processing
                                      J Cellini Pioneer



                                      As usual, great information. Wouldn't the credit card numbers be encrypted like a password so if hackers successfully hacked into a database they still could not decipher the credit card information?



                                      • 16. Re: php credit card processing
                                        pziecina Ninja

                                        Hi John


                                        Yes, but once you have access to the database you also have access to the encryption method. and often the code used to create it on larger databases. Stored procedures and transactions are stored on the database, (so much for my 'more secure'), They actually are, as you must have access to the database server in order to access them, this is just one reason why the database server for such information is regarded as something that must be separate and not shared in any way with the normal 'open' to the public hosted http/shared-database servers.


                                        Paula Z

                                        • 17. Re: php credit card processing
                                          netartdesign Newcomer

                                          how is cartweaver better than other 3rd party shoping cart?

                                          • 18. Re: php credit card processing
                                            J Cellini Pioneer

                                            Then wouldn't the same be true about passwords? Could hackers retrieve the encryption method for passwords and hack into your account?

                                            • 19. Re: php credit card processing
                                              pziecina Ninja

                                              Hi John


                                              Could hackers retrieve the encryption method for passwords and hack into your account?


                                              If you remember or have read a few of the reply's I have posted regarding 3rd party and/or open source software, then you now know why I always say 'use with caution'.


                                              Paula Z

                                              • 20. Re: php credit card processing
                                                J Cellini Pioneer

                                                netartdesign wrote:


                                                how is cartweaver better than other 3rd party shoping cart?


                                                It depends on what you need. I have had experience with Zen cart and Volusion. I inherited a zen cart shopping cart web site to redesign and make it work better. I did not like Zen cart at all (I have already commented on Zen cart in previous posts). In a nut shell, zen cart is open source software with very little support and I don't think a lot of people pay much attention to it anymore. I spent valuable hours and hours trying to resolve a number of issues.


                                                Volusion is a pretty good solution. It's not free but the cost is reasonable (you pay a monthly fee but the hosting is included in the fee). There is plenty of good support which saves you a lot of time (and money). In most cases, the phone support techs knew what they were talking about. Volution uses ASP instead of PHP for its server-side language and I don't know a thing about ASP code, but Volusion does a good job of separating different technologies so you can easily design the site the way you want (you really never have to worry about the server-side issues). The only problem I had was that the web site is based on a template (that you can redesign) and some of the features are difficult or sometimes inflexible (but this turned out to be a small issue). I would give Volusion high marks.


                                                I haven't had any experience with Cartweaver but I spent a lot of time looking into it. The support seems to be pretty good. It's a Dreamweaver extension so you can use it with Dreamweaver. You can get the PHP version-I know the basics of PHP but I am working on learning advanced features (even if your PHP knowledge is very little, Cartweaver support will work with you). It's a one-time purchase, so there is not a monthly charge. I host most of the web sites I create for people, so I can continue to make money on the hosting after a site is built.

                                                • 21. Re: php credit card processing
                                                  netartdesign Newcomer

                                                  got it. i will probobly will end getting cartweaver my self. after all ive been looking in this forum and others i got to the conclusion that if you take the parameters here are time,profetionality,convinient and security. if im trying to put all the info i got togethor i will probobly will end up getting the cartweaver. just not sure yet about the payment proccess. is authorize.net work good international outside of the states?

                                                  • 22. Re: php credit card processing
                                                    Lawrence_Cramer Champion

                                                    Authorize Net can take orders from other countries no problem, we get orders from all over the world. Now if you are in another country, like the UK or somewhere in the EU then you may need to see what is available to work with your local merchant accounts.  So depending on your location it may take a little research to come up with the best solution.


                                                    For the US, while we have developed intigrations with many payment gateways Authorize Net is about my favorite. They are very relible, have copetative rates and also have one of the best fraud prevention suites around.


                                                    Lawrence Cramer   *Adobe Community Professional*
                                                    Complete Shopping   Cart Application for
                                                    Dreamweaver, available in PHP and CF


                                                    Stay updated - http://blog.cartweaver.com

                                                    • 23. Re: php credit card processing
                                                      netartdesign Newcomer


                                                      thanks for the help

                                                      • 24. Re: php credit card processing
                                                        Lawrence_Cramer Champion

                                                        I avoid doing much "horn blowing" on this forum, it's not a place to sell. If you'd like a bit more info feel free to pop me an e-mail directly at:  lawrence  at  Cartweaver dot com I'll be happy to answer any questions you have.


                                                        Lawrence Cramer   *Adobe Community Professional*
                                                        Complete Shopping   Cart Application for
                                                        Dreamweaver, available in ASP, PHP and CF


                                                        Stay updated - http://blog.cartweaver.com

                                                        • 25. Re: php credit card processing
                                                          pziecina Ninja



                                                          First, sorry John for hijacking this thread.


                                                          Netartdesign -


                                                          Continuing from the discussion in the dreamweaver general forum, and your questions both here and in that discussion - I have heard many good recommendations for cartweaver, but I have never used the product myself so how it compares to products such as ecart from webassist, (http://www.webassist.com/dreamweaver-extensions/ecart/) I do not know, (if someone wishes to send me a copy for evaluation  ) but as I am based in the U/K and much of my work is in the US, I would point out that the Authorize.net payment system does not have as good a reputation in the U/K and Europe as it does in the US. From what I have heard there is a 'more than normal' delay with you receiving the payments into your account, but how this compares to services such as paypal I do not know.


                                                          That said, even when you go through the more advanced merchant accounts that are set-up via your bank in the U/K, the problems are rarely worth the extra effort unless you are expecting an annual turnover in excess of £100,000.00p. (approx = $155,000.00). The main form of on-line payment and most recognized in the U/K and Europe is, (unfortunately) still paypal.


                                                          Paula Z

                                                          • 26. Re: php credit card processing
                                                            jon@cmiwebstudio Pioneer

                                                            unless your running a pci compliant dedicated server for that one website... you are not suppose to be storing any credit card information.  i recommend using a gateway service approved by the merchant account with a virtual terminal and documented api to hook into via any programming language, including php.  best of luck