How do I do a secure web page

[mkrausnick]

I want to develop a web page to accept donations for my charitable organizations. Naturally, I need a secure way to accept credit card numbers. The site is hosted on an apache server. What's involved with setting that up? Does the hosting company have to support the feature, and how do I code a page so it's secure and can safely accept credit card numbers?

The page won't process the credit cards automatically, it will send an email or create a file on the server that will be retrieved later for manual processing. Figuring out how to do that securely will be the next step.

Thanks for your help.

Mike Krausnick
Dublin, California

 

[stormbind]

There are specialised companies which can do the banking for you (i.e. worldpay.com or paypal.com) and your webhost may be able to recommend one. This is the easiest, quickest, and cheapest solution but it won't be intergrated into your site. This does not go through you (or your email): the bank handles everything!

If you want to do it yourself, you want SSL (secure socket layer). Your webhost probably offers a shared SSL domain name such as yourname.webhost.com

If you need it to be even prettier than this, you can pay for an SSL certificate (each domain has to have it's own certificate) which incurs a license fee (guessing $200 pa?) & setup charges (another $500?). These are only guestimates and could be a way off.

Try the Apache or IIS forums for more information.

--Glen

Memoria mihi benigna erit qui eam perscribam

 

[BillyRayPreachersSon]

Most online clearing houses / merchant account companies will let you fully customise their pages to match the look and feel of yours. Emails will go from and to your domain, no problem. The only thing they handle is the financial transaction, and will return a code to your site so you know if the transaction was successful, or if not, why not.

Hope this helps,
Dan

[tt]D'ya think I got where I am today because I dress like Peter Pan here?[/tt]

 

[Wullie]

The page won't process the credit cards automatically, it will send an email or create a file on the server that will be retrieved later for manual processing. Figuring out how to do that securely will be the next step.

As mentioned by the others above, I would suggest using a third party gateway rather than accepting the cards yourself. If you accept the cards yourself then there are legal and security concerns you need to be aware of, and from your post it is clear that you don't know enough about this (No offense).

You can't just e-mail yourself the card details to process them or store them in a file, you need to encrypt the details and personally I would never store or send all the details together, because anyone intercepting your e-mail account or hacking your host's server would now have access to everything and you could be liable for any misuse of those details if you did not take the proper precuations.

If you need it to be even prettier than this, you can pay for an SSL certificate (each domain has to have it's own certificate) which incurs a license fee (guessing $200 pa?) & setup charges (another $500?). These are only guestimates and could be a way off.

You can get SSL certificates from around $10 upwards, $200 isn't really an uncommon price either though. The price normally does make a difference though because the higher end certifcates normally give you a seal to place on your site and also include warranties of around $10,000 upwards, however with the lower end ones you do not get anything like that.

Hope this helps

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[tsdragon]

I've used the paypal option on a website I wrote and it was really easy, and very unobtrusive. You can develop your own look and feel, and just transmit the data to paypal. It works quite well, and the fees are minimal (yes, they do charge a per-transaction fee).

Tracy Dryden

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[mkrausnick]

Thank you everyone for the input. It sounds like the third party option, maybe through our bank, might work. I begin to realize I definitely don't have the expertise to do it right myself. I always try to stay a step ahead of the thinkers in the organization, but I think this one goes on the shelf for awhile until someone actually asks for it.

Thanks again for taking the time to share your expertise.

Mike Krausnick
Dublin, California

 

[Foamcow]

If you do elect to set up a secure server be aware that not all SSL certificates are compatible with all browsers.

Verisign, Thwate and Instant SSL (Comodo) are the most compatible. Instant SSL is also quite inexpensive (compared to the other 2).



Foamcow Heavy Industries - Web design and ranting
Toccoa Games - Day of Defeat gaming community
Target Marketing Communications - Advertising, Direct Marketing and Public Relations
"I'm making time