11 Replies Latest reply on Mar 23, 2015 2:41 PM by Nancy OShea

    Credit Cards & Forms

    Nancy OShea Adobe Community Professional & MVP

      Forum Question:  "How do I get my form to send sensitive credit card data to my  email address?"


      Forgive the rant, but I've been seeing lots of posts like this lately and frankly it leaves me terrified and irritated.

      Terrified for consumers who could be exploited by credit card & identity thieves.

      Terrified for site owners who could incur stiff penalties or be put out of business.

      Irritated with the fool of a web designer who thinks this is OK business practice. 


      I've got news for you.  It's not OK to transfer sensitive data by e-mail.  It's not secure.


      If you're new to web design and need to build a store site for someone, please use PayPal, Google Checkout or one of the  industry approved shopping cart sites.   If you need a recommendation, feel free to post a question in the forum.  People here will be happy to share their opinions & experiences with you.


      Q: What  is PCI?

      A: The Payment Card Industry Data  Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit  card information maintain a secure environment.   Essentially any merchant that has a Merchant ID (MID).


      Q: To  whom does PCI apply?

      A: PCI applies to ALL organizations  or merchants, regardless of size or number of transactions, that accepts,  transmits or stores any cardholder data.


      Q: What  are the penalties for noncompliance?

      A: The credit card companies may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream  till it eventually hits the merchant.  In most cases though, the bank suspends or terminates the merchant's credit card privileges. 


      I realize jobs are scarce & finding good projects to work on is much harder than it once was.  But that doesn't mean you should ever put yourself, the public and site owners at risk.  If a site owner insists on running his business without a PCI compliant shopping cart to save a few dollars or [insert whatever excuse here], this is a red flag warning you to politely thank them & walk away from the project.  There is no excuse for NOT using a secure payment method.  PayPal doesn't cost much (a small transaction fee) and it's very simple to set up. 


      PCI Compliance Guidelines & FAQ



      Some Payment Processors to look at ~

      PayPal ~ https://www.paypal.com/webapps/mpp/merchant

      Google Checkout ~ http://checkout.google.com/sell/?

      Authorize.net ~ http://www.authorize.net/


      Shopping Cart Solutions:





      Web Assist



      Adobe Business Catalyst ~ Built-in turn-key e-commerce










      Nancy O.

      Alt-Web Design & Publishing

      Web | Graphics | Print | Media  Specialists 



        • 1. Re: Credit Cards & Forms
          Curtis_E_Flush Level 3

          Excellent post and very informative except that I have personally had a bad experience with PayPal, and the result is that I will never use them again for anything, including purchases from already established sites.


          There are others, including 2Pay which I will use.


          The whole post is Spot on though.

          • 2. Re: Credit Cards & Forms
            adninjastrator Level 4

            Hey Nancy... no problem with the "rant"!!

            I've also dealt with many posts asking how to create this or that type of shopping cart. Will this work or that?

            About the only addendum I would like to add to your excellant post is that when choosing a shopping cart... you SHOULD START at your BANK and work backwards to the Web site.. not the other way around!

            So in other words... don't just choose a third party shopping cart and and expect your bank to accept your choice!!

            Most major third party shopping carts require that you first have a "Merchant Account" at your bank. Your bank will NOT allow that shopping cart to directly connect into it (gee... I wonder why). Each bank will have an approved "gateway" that they use as an interum connection between the shopping cart and the bank. For example:




            but each "gateway" only approves/works with certain third party shopping carts.

            So I'd recomend that clients wanting to create a "Shoping Cart" ALWAYS start at their bank and THEN work backwards to their Web site. If a "Merchant Account" is too much... then go PayPal or some non-direct link to your bank. But if the object is to process credit cards and deposit into your bank account (which means you need a Merchant Account)... then you had better start at your Bank and end up at your Web site... NOT the other way around.

            Best wishes,


            • 3. Re: Credit Cards & Forms
              Curtis_E_Flush Level 3

              Another good point! It would seem foolish to invest $300 in Cartweaver, learn the PHP or ASP back end of it, set the whole site up, get an SSL certificate, and put everyhting to the server... only to discover that your business CAN'T do business... with your financial institution that is.


              There should be a FULL tutorial out there somewhere that covers all the bases of starting an e-store, not only from a HTML standpoint, but commercial, legal and financial as well.


              The idea that someone can go buy Dreamweaver (or worse yet, only download a 30 day trial) and "voila!" they're an instant webmaster, is as foolish as thinking that buying a ticket on a cross-country flight will make someone a pilot.

              • 4. Re: Credit Cards & Forms
                Nancy OShea Adobe Community Professional & MVP

                Thanks Curtis, Adninjastrator and PZ for your constructive input.  All excellent points.


                <Start with the bank>


                Absolutely.  Especially if the Merchant already has POS (Point of Service) -- a brick & mortar shop where the credit card user is standing in front of him.  


                On-line Merchants need  a CNP (Card Not Present) account.  Fees for CNPs are somewhat higher owing to greater risk of fraud & charge backs on the internet.  


                POS Merchants have a Gateway to process credit cards.  A physical terminal or box is connected to a phone line or internet cable and used at checkout to approve or decline purchases on the spot.  Similarly, on-line Merchants need  an internet Gateway to approve or decline purchases.  Often the same Gateway company can provide both services.


                Finally, On-line Merchants need a Shopping Cart that is compatible with their internet Gateway's protocol. 


                As PZ said, any shopping cart can collect order details.  But only a PCI compliant cart can collect customer data (card holder's name, address, credit card # & expiration date).  The level of encryption required for this standard is very high to safeguard customer data as it's being collected, stored and transmitted to the Gateway.


                I prefer to hand off customers to a secure payment processing agent like https://PayPal or https://Authorize.net for order completion.  It costs a little more but it's much safer for me as a web developer and the site owner who is ultimately responsible for protecting his customer's data.   Unless you really know what you're doing, it's much better to let the experts handle this step.


                @Curtis, I've had good experiences with PayPal.   But other options are good to know about.  Especially for non-profits who may not be able to use PayPal.   Please post any others you've had good experiences with.


                Thanks everyone!



                Nancy O.

                • 5. Re: Credit Cards & Forms
                  Curtis_E_Flush Level 3

                  I like to work with 800cart.com


                  They have a really user friendly setup, and 24/7 live phone or chat support for integration or billing questions/problems.

                  • 6. Re: Credit Cards & Forms
                    mhollis55 Level 4

                    Great rant.


                    I have done several stores and they're all mounted on Secure servers. I have had several clients of mine request that they receive an email of the credit card number being used in payment. No Thank You! I won't do that. "But what if their card doesn't go through?" Then they'll telephone you if there is a problem. And you can use your terminal or wait for a check to clear.


                    I do not store any credit card data on my servers. Period. Credit card numbers are destroyed after the session, as well as all other information pertaining to the session. If their own web browser is set up to autofill stuff, that is their own issue.


                    All servers doing financial transaction have security certificates. All information that might have something to do with a financial transaction, password, etc is encrypted.

                    • 7. Re: Credit Cards & Forms
                      b00y0h Level 1

                      Unfortunately, it's not enough just to have a security certificate on your servers. If customers enter cc data on your domain, then it has to be PCI compliant.




                      Handing off all the transaction to a payment provider doesn't have to interrupt the flow of the checkout, nor introduce the payment provider's branding. For a seamless transaction for the customer (read... better completion rate), check out mijireh.com. It looks as though they are initially a wordpress only solution, but they have an API for integrating with other solutions.


                      Bobby Smith


                      Your design, Our security



                      • 8. Re: Credit Cards & Forms
                        nicklewis Level 1

                        If you decide to use Shopify I recommend you setup an affilaite program to get more sales.  I use OSI Affiliate Software http://www.osiaffiliate.com it is called, but there are other solutions out there.

                        • 9. Re: Credit Cards & Forms
                          katied60926285 Level 1



                          Im not sure if this is the right thread to post on, I am trying to do add secure forms to my website, they are opting into a company donation so it will have personal information on the form (ie. social security #). I have a fillable form but I want their personal information to be protected!!!

                          • 10. Re: Credit Cards & Forms
                            Nancy OShea Adobe Community Professional & MVP

                            Don't do it.  It's too risky.  Set-up a PayPal account to accept donations.  And I fail to see why anybody would want to give out their Social Security #.  The potential for identity theft makes my skin crawl.


                            When major companies are breached like my health insurance provider was recently, they pay for it.  In my case, they have to pay a service like LifeLock for 2 years x each member who's info was compromised.   Can you afford that? 



                            Nancy O.

                            • 11. Re: Credit Cards & Forms
                              katied60926285 Level 1

                              We have a paypal but this is different, I think the best way is for them to

                              print of the form and submit it through paper. Thank you!