security issues for a website

[skarosi]

Hi all,
I am making a website, mainly using HTML, and i would like to use some kind of security so the users can insert a username and password to see the secure area of the site.
I would also like to have some credit card security. how does these work? Can i do them by my self or there are packages that i have to pay for?

thanks,
Ilias

 

[BillyRayPreachersSon]

Your best bet when dealing with sensitive data like credit card numbers is to use secure HTTP (i.e. HTTPS). You would need to buy a certificate from a trusted re-seller, have a fixed IP (AFAIK), and be able to serve HTTPS from whatever web server you use.

Using non-secure HTTP would still work, but is very much advised against, as it can easily be sniffed (you'd be surprised at just how easily).

You'd need to be able to use server-side scripting to retrieve the details entered by the user (so ASP, JSP, PHP, CGI, etc), and store them in a database (whether and how you store the CC numbers depends on all number of factors), but at very least you should never store them unencrypted.

You'd aslo need to take into accuont any data protection laws in the country your company is incorporated in, as well as the country your site is hosted in.

Hope this helps,
Dan




Coedit Limited - Delivering standards compliant, accessible web solutions

[tt]Dan's Page [blue]@[/blue] Code Couch

http://www.codecouch.com/dan/

[/tt]

 

[Foamcow]

From the sounds of your post you are obvioulsy inexperienced in this area. Nothing wrong with that but I would advise you look into something like WorldPay or Paypal for processing credit card info and not ask for or store any card info directly on your site.

<honk>*:O)</honk>

Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.

 

[skarosi]

I was thinking about paypall as well Foamcow, and it seems like a good idea.
by the way u r right, i never mention it but i am not an expert on these things.

I am going to look into what u said BillyRayPreachersSon. I knew that there must be a difficult but good way to do it.
thanks

 

[Foamcow]

Paypal is 'easy' but it is certainly a bit of a pig to test and very overcomplicated in some areas.

Whatever you do you will need some way to actually process the card info.
Your bank will have something to say on how you do this.
Simply collecting numbers and manually processing them may not be acceptable.

<honk>*:O)</honk>

Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.

 

[skarosi]

BillyRayPreachersSon when you say "You would need to buy a certificate from a trusted re-seller" how exactly i do this? there are companies that do that or i have to fix it myself and they will cerify it? I googled https, but didnt really got anything.

Foamcow, if i use paypall, i dont need to process the credit card, do I? all i have to do is open a paypall acount and collect the money from there, somehow.

thanks

 

[Foamcow]

You can buy SSL security certificates from many places.

Try Comodo.com
Once bought the certificate will need to be 'installed' on your web server. You may even find that you need to buy the certificate through your hosting company (if you use one)

The certificate lets you create secure connections between the customer and your site. Using this connection you can safely transport credit card information, but it still needs to be processed.


Paypal act as a credit card processor. You don't need a certificate to use their basic services since all the actual data collection is done on Paypal's site and not your own.
Integrating Paypal can be as simple as creating a button on your site... or you can build a shopping cart and take payment via Paypal (summarising the cart contents on the Paypal pages)

I would once again urge you to speak to your bank regarding any services they offer or requirements they have.

<honk>*:O)</honk>

Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.