Hi,
I agree completly with him. You should go through another entity for
payment. You should go through some company that ensures you reliability
and security. Here in Europe there are a lot of histories about company
databases being hacked and loosing up to 15.000 cc numbers. By no way
you could get the security these companies can offer you.
Try these ones (I do not endorse to any of these companies or have no
information about them) ccbill.com or americanbank.com. I recomend you
browsing through the net for more.
Also for the private information you should use SSL in the trasactions.
Hope this helps
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Richard Lynch wrote:
>
> > I'm new to PHP and to e-commerce. Needless to say, I've done a lot of
> > studying over the last few weeks and I'm ready to dive in head first!
>
> Actually, you're not... Sorry. The fact that you want to store data in
> flat files, and that you want to store CREDIT CARD INFO the way you describe
> tells me that you haven't read enough.
>
> > I'll be building an e-commerce site and I'll be using PHP. I'd like
> > customers to have the option of saving their information so that they
> don't
> > have to enter it each time they purchase -- much like Buy.com does or like
> > Amazon.com's One-Click feature.
>
> Those are nice features, *IF* the information is stored and accessed
> properly.
>
> > This means that the customer will be storing information like one or more
> > credit cards, shipping addresses, billing addresses, etc.
> >
> > I'm planing on storing all information in flat files so that I don't have
> > the additional expense of using MySQL (My ISP is charging 24.95/month
> extra
> > for MySQL service).
>
> Consider moving to a different server. $24.95/month should get you
> everything you need including MySQL *UNLESS* you're a high-volume site with
> 10,000+ hits/day or heavy bandwidth like audio/video.
>
> > So the question is: How can I store each customer's information safely?
> Can
> > I use .htaccess and .htpasswd to help me out? Or don't they even apply?
>
> .htaccess and htpasswd would be okay for AUTHENTICATION of a few people, but
> if your server is running PHP as a Module, you're better off using PHP to do
> the HTTP Authentication. See the PHP manual online for sample code.
> http://php.net/
>
> Authenticating a user as a specific customer is COMPLETELY SEPARATE from
> safely storing their credit card information.
>
> > My intention is to store the user's password encoded with md5 or something
> > and also to develop my own cipher for disguising the credit card numbers
> as
> > well.
> >
> > Any suggestions?
>
> Don't.
>
> md5 is useless for this, and developing your own cipher is out-and-out silly
> unless you are a cryptography expert.
>
> When Amazon et al store a credit card number, they have a very specific
> custom setup for that, involving:
>
> A separate dedicated computer *NOT* directly connected to the Internet to
> store the cc info. These machines are:
> accessible via a SECOND Ethernet card in the web-servers
> invisible to the outside world
> only accept connections to the Database server -- no other software
> installed
> only accept data from that one Ethernet cable
> physically accessible only to trusted few
>
> Further, even their web-servers are DEDICATED machines, not shared-access at
> an ISP. These machines will have an extremely limited number of users able
> to directly access them. Yours has several hundred untrusted users.
>
> In short, if you are balking at $24.95 a month for MySQL, your budget is
> *NOWHERE* *NEAR* within reach of the hardware/software/facilities required
> to safely STORE credit card numbers.
>
> By all means, feel free to hook up with a third-party firm to process your
> credit cards in real-time.
>
> But you'll have to forego the STORAGE of credit card info feature for now.
>
> --
> WARNING [EMAIL PROTECTED] address is an endangered species -- Use
> [EMAIL PROTECTED]
> Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
> Volunteer a little time: http://chatmusic.com/volunteer.htm
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
