Safest way to pass credit card number through a multi-step form?

views:

297

answers:

+5 Q:

Safest way to pass credit card number through a multi-step form?

On step 3 I have a form which accepts a credit card, Step 4 re-prints the information including the last 4 digits of the credit card, and Step 5 I need to know the full CC # to process it and send it through my https connection to a 3rd party vendor - should I store it through hidden inputs or $_SESSION so I can access it in between the 3rd and 5th step?

FYI: My entire site is already https'd.

neither way. you should store it (somehow) encrypted on the server.

dusoft 2010-02-16 23:16:18

See my edit, it's SSL'd - good enough?

meder 2010-02-16 23:17:37

No, SSL'ed is definitely not good enough.

Jarrett Meyer 2010-02-16 23:19:40

Definately not - SSL only encrypts the channel. It should be stored encrypted, if its even stored at all, which it probably shouldn't be.

thetaiko 2010-02-16 23:20:12

SSL is not enough, that only protects the data as it moves from the client to the server. Once it is on the server, you should encrypt it before you store it. You wouldn't want CC #'s in plain text in memory, or on disk, a hacker or rogue employee could make off with them without much effort.

aepheus 2010-02-16 23:29:47

+1 A:

Don't store it at all. There are lots of credit card processing facilities out there. Unless you absolutely must have this functionality in house, don't do it.

Amazon Payment Services: http://aws.amazon.com/fps/
BrainTree Payment Solutions: http://www.braintreepaymentsolutions.com/
Chargify: http://chargify.com/
Paypal: https://merchant.paypal.com/
Authorize.Net resellers: http://www.authorize.net/solutions/merchantsolutions/resellerdirectory/

Seriously, take your pick.

Jarrett Meyer 2010-02-16 23:19:12

How would I charge it if I can't store it? By store I mean through pages, not in a database or anything.

meder 2010-02-16 23:24:36

You don't charge it. You pass the responsibility of securing and charging the card to a service that does this for you. The above all have options for sending the encrypted for data to their site for processing. They then return the charge result back to your site.

Jarrett Meyer 2010-02-16 23:26:44

Actually I should rephrase that - I *am* passing it on to another service, I'm not manually charging the CC with my own code, a 3rd party vendor is, but the code to provide the CC TO the 3rd party vendor is on the 5th/last step, and I'm entering the CC on the 3rd step.

meder 2010-02-16 23:28:25

If your credit card processor offers a credit card vault like Braintree does, you can store the credit card in your 3rd step but change it in the 5th step. Disclosure: I work for Braintree.

dan-manges 2010-02-17 17:08:16

+2 A:

SSL won't protect data stored on disk. Additionally, PHP session data is stored by default in the file system under a temp directory with minimal permissions. So not only is the data stored in plain-text but also can be accessed by many different system users (depending on your web server configuration).

If you want to implement a multi-step checkout process I'd suggest doing some AJAX/Javascript magic on the browser side. You can collect the billing information using a series of DIVs that are hidden/collapsed and post the complete data set in one go, sending the CC data one-time to your server, which then relays the CC data to your payment processor.

pygorex1 2010-02-16 23:29:54

But how would you support strictly server-side processing if JS is disabled?

meder 2010-02-16 23:37:55

For non-javascript users you would need 1) a solution described by Chris' answer or 2) send the confirmation message with CC info in a hidden field back to the user. The second option may cause problems if the page is cached by the browser or a proxy server.

pygorex1 2010-02-17 00:51:14

If you were to make it completely ajaxified, can you go into detail about if you would still leave your POST/SESSION logic in each individual step page?

meder 2010-02-18 05:03:40

+1 A:

Definitely not in a hidden form field. If the user walks away or saves the page or someone hits the back button, then full CC information is available. The computer may be shared with others.

If you do persist the CC to disk/database then the CC must be encrypted otherwise you would be violating Payment Card Industry (PCI) requirements. You could keep the last 4 digits in the clear separately for convenience.

Note if you go with sessions (for other reasons) you have to take care of attacks on session including but not limited to session fixation.

One other possibility is to rework your client side such that the various steps are just ajax calls (cc is in js variable not in form field) and use CSS to display/hide various divs - on the final step post the entire information to your server.

mar 2010-02-16 23:43:34

+7 A:

Take the credit card number as the last step so you don't have to store it. There are many legal issues around storing that information.

Chris 2010-02-17 00:00:38

Well, the issue with that is the client has already decided to go with the ordering of the form steps, it would really be a hassle and probably beyond my reach to influence them to do so.

meder 2010-02-17 00:06:45

You can keep this workflow with Braintree. On your 3rd step, you can store the credit card in the Braintree credit card vault. Braintree will give you a token that you can use to charge the credit card later. You can retrieve the masked credit card number in your 4th step to display it to the user for confirmation. And then to charge the credit card, make an API call in your 5th step using the token from step 3. Braintree can eliminate both the storage and transmission of credit card data from your environment. getbraintree.com Disclosure: I work for Braineree.

dan-manges 2010-02-17 17:14:56

ansaurus

tags:

views:

answers:

Safest way to pass credit card number through a multi-step form?

related questions