WillMaster Possibillites Logo EzineSeek Award
Accepting Credit Cards with Your Own Secure Server
by
Mari Bontrager

Permission is granted to reprint this article in its entirety, provided no reprints are sent in conjunction with unsolicited bulk email, provided no fee or other value is exchanged, provided no changes are made to the article, and provided the author's name, signature lines, and copyright line are printed with the article; except you may change the article's title.

If you have a merchant account and your own secure server, you can take credit card orders

  • without shopping cart software and

  • without the expensive services of a payment gateway.

Use a form processing script to collect the payment information. The script stores the order and credit card information in a database on your secure server and then sends you a notification email.

After you get the email, download the file from your secure server.

Definitions

Merchant account:

Before accepting credit cards for items purchased from your business, you need a merchant account with a bank. You then process your credit card transactions through the merchant account. Merchant account agreements generally have clauses making it a breach of contract to allow your merchant account to be used to process purchases of anything from anybody other than your business.

Note that some services, such as ClickBank, seem to allow your customers to use credit cards to pay for items from you even though you might not have a merchant account. However, using ClickBank as an example again, the customer actually purchases the item from the service. The service, then, pays you a discounted amount for the item.

This is not a dissertation about merchant accounts, just an attempt at a simple definition. However, be aware that costs and restrictions can vary from one bank to the next. It might pay to shop around.

Secure server:

Sometimes called SSL (Secure Socket Layer), secure servers allow encryption of information to be transmitted. Here is a simple definition of how it works.

A browser connects with a secure server using an https: URL. During the connection process, the browser and the server agree on an encryption scheme. Once connected, anything that the browser sends to the server (such as credit card information) is encrypted before sending. The server also encrypts data before sending it to the browser. Thus, any information traveling between browser and server is encrypted, which means if anybody intercepts the transmission all they get is a confused blur of symbols.

Contrary to what the term implies, you still need to protect any information residing on the secure server. SSL only encrypts information in transit.

Payment gateway:

This service provides credit card authentication and real-time processing. You still need a merchant account. Be aware that obtaining a merchant account with a payment gateway service as agent might cost much more than getting one through your own bank. On the other hand, some payment gateways will only work with certain banks.

As with merchant accounts, payment gateways costs and restrictions can very from one service to the next. Costs can very widely. Please shop around before making a decision.

Before we continue, let me mention that if you use your own server to collect credit card information, you're flirting with security issues. I'll address some of those issues in this article and make suggestions for reducing risks. Then, I'll show you a way to implement a credit card payment system and talk about database retrieval.

Note:    Use an insured payment gateway if you can't abide security risks with your customer's financial information or if you are concerned about fraud (with an instant download product, for example). A payment gateway with a good reputation is http://authorize.net/

Security Issues

Although this section addresses some security issues related to accepting credit card information with your own secure server, it is not all-inclusive. I am a programmer, not a professional security expert. Being a professional security expert is a full time job in itself.

Crackers, including professionals as well as bored 12-year olds, have traffic sniffing, port scanning, and other easy-to-use and automated tools to find vulnerabilities. Use common sense when setting up your system.

FYI:    Additional information related to security of CGI scripts in general is available in the ebook "Do-it-Yourself CGI Security: Plugging Common Cracker Holes." It can be ordered from http://willmaster.com/a/12/pl.pl?pie3

Here are some common sense methods to reduce risk:

  1. Put the web page with the form asking for credit card payment information on your secure server. To ensure secure transmission of information, the URL must begin with https: and the padlock icon on the browser must be closed.

  2. The form processing programs must be on the secure server.

  3. Make sure any files containing credit card information are stored on your secure server, not on your regular server. If the same file can be accessed by either http: or https:, there is a higher risk of information compromise.

  4. When you store credit card information in a file, put the file in a location and give it a file name extension so it can't be loaded into a browser. For example, if your file is named ccinfo.txt then the file might be read with a browser even when the file is on a secure server. However, if you use file name extension .cgi or .pl (depending on what extension your server treats as a Perl CGI program) and store the file in a directory that can run CGI programs, then the server would try to run the file as a script and send an error message to the browser.

  5. If your programs must send credit card numbers via email, make sure the emails are encrypted. Sending complete credit card information (name, number, and expiration), via unencrypted email is a declaration of stupidity.

  6. Limit the amount of time credit card information is on your server. If there should be unauthorized access to your server, the less critical information on the server at the time, the less critical information you may be liable for.

Implementation

To implement a system of accepting credit cards with your own secure server, install a form processing program that will send an email to you, update a database, and optionally send an email to your customer.

A number of scripts can accomplish all that. In this article's example implementation, I'll use our Master Form from http://willmaster.com/a/12/pl.pl?mf

Simply upload the program to your secure server in a directory that will run Perl CGI scripts.

(Master Form is unusual in that every copy is custom generated for the domain and server it will be installed on. Therefore, if you're using someone else's secure server, your hosting company's for example, you'll need to generate Master Form for the domain name where their secure server is located.)

Create a template for the email that will be sent to you. In the template, use placeholders where the script will insert the information from the form. For example, if the field name of your form where the customer types in an email address is name="email", then placeholder [[email]] will be replaced with the email address.

Please, do not cause Master Form to send you the credit card number via email. Master Form does not encrypt email. It is not private nor secure.

Optionally, you can create a template for the email that will be sent to your customer. Again, placeholders can be used.

Create a template for the database record. You can design it as you wish. For example: 

[[MONTH]] [[DAY]], [[YEAR]] at [[HOUR]]:[[MINUTE]]
                  Item: [[item]]
                Amount: [[amount]]
      Credit Card Name: [[ccname]]
    Credit Card Number: [[ccnum]]
Credit Card Expiration: [[ccmm]]/[[ccyy]]
                  Name: [[full name]]
                 Email: [[email]]
               Address: [[address]]
                  City: [[city]]
        State/Province: [[state]]
       Zip/Postal Code: [[zip]]
-----------------------------------------

Upload the templates to the same directory where Master Form is installed. Use hidden fields in the form to tell the script the file names of the templates and the file name of the database. (Instructions are in the Master Form manual.)

Master Form will append the information to the database file according to the template you provided. If the database does not exist, it will be created.

Database Retrieval

Now that you've got some credit card numbers on your secure server, you'll need to retrieve the information so you can process the charges through your merchant account. Different banks have different procedures for this. But whatever the procedure, you'll need the credit card information to accomplish it.

Before you retrieve the information, consider where you will store it after the charges have been processed. A password accessed computer may be sufficient. If not password protected, you might encrypt the database. Alternatively, you might print the information and store it in a locked space.

In general, whatever security precautions are appropriate for brick 'n mortar store's credit card records is also appropriate here. You may wish to solicit your bank's recommendations.

Now, to retrieve the information.

If you use Master Form, the database will consist of plain text characters. Simply

  1. Rename the database file to a name unlikely to be guessed and with a .txt or other browser accessible extension. Example: kkdf3wUT.txt

  2. Access the kkdf3wUT.txt file with your browser using https:. Save the browser window to your hard drive.

  3. After verifying that the browser saved the file to your hard drive okay, delete kkdf3wUT.txt from your secure server.

So long as you use a different file name every time you do step 1, it is highly unlikely that anyone will guess it in the time it takes you to do steps 2 and 3. Because you use an https: URL in step 2, the data download is encrypted.

If you don't use Master Form and if the program you use (i) won't automatically create a new database file when appropriate or (ii) doesn't store the database information as plain text, you might then need to use FTP to download the credit card information. Please note that FTP is not a secure connection. You might ask the author of the program you're using for alternatives; maybe s/he can modify the program so it can generate a plain text file that you can access with your browser via https: and, after saving it to your hard drive, delete the file from the server.

Wishing you joy, happiness, and prosperity.

By: Will Bontrager

Copyright 2002 Bontrager Connection, LLC
http://willmaster.com/possibilities/
subscribe-possibilities@willmaster.com