Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

Re: FN-FORUM: credit card payments without pages hosted on providers servers

date posted 2nd October 2006 12:41

[EMAIL REMOVED] wrote:
>> [EMAIL REMOVED] wrote:
>>
>>> If we use an 'API' from one of the providers we can do it that way, but that
>>>
>> means we have to record all the transaction details and store them on our
>> sever which needs to conform to 'PCIDSS' standards (which = £££), so its not
>> really an option.
>>
>> Why do you have to store the transaction details in this case? You just
>> call the merchant API in realtime, so when the user submits the final
>> checkout page, you pass the credit card details to the API and receive
>> an immediate response, which you can then relay back to the user in the
>> same page request - no local storage required. You can of course still
>> log whatever details of the transaction you will need later, except for
>> the credit card number and similar info.
>>
>> Dave
>>
>>
>
> Logically yes, theres no reason for us to store the information, just 'bounce' it through to their system... but every payment provider I've spoken to says that if we go the API route WE become responsible for storing the data. It seems like its part of the payment providers conditions of using the API. Do you know of a company that would allow API use without us capturing the details?
>

But that implies that you're storing the data somewhere, so if you never
do that, you're in the clear - or at least that's how I've understood
these rules in the past. As long as the card details are encrypted in
transit between the customer and your site (via an SSL certificate), and
your site and the merchant API (via whatever method the API provides for
this, probably SSL again), never written to disk on your server, and
erased from memory as soon as the transaction is complete, there's no
available location for an attacker to gain any card details.

Dave

Messages by Day
October 31st 2006
October 30th 2006
October 29th 2006
October 28th 2006
October 27th 2006
October 26th 2006
October 25th 2006
October 24th 2006
October 23rd 2006
October 22nd 2006
October 21st 2006
October 20th 2006
October 19th 2006
October 18th 2006
October 17th 2006
October 16th 2006
October 15th 2006
October 14th 2006
October 13th 2006
October 12th 2006
October 11th 2006
October 10th 2006
October 9th 2006
October 8th 2006
October 7th 2006
October 6th 2006
October 5th 2006
October 4th 2006
October 3rd 2006
October 2nd 2006
October 1st 2006


Messages by Month
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006


Messages by Year
2008
2007
2006
2005
2004
2003
2002
2001
2000