Ecommerce + CC processing

paulthelegend

Hows it going, Right setting up my first e-commerce site, and wondering about how to process credit cards.

wrote my own shopping cart(was on about 7-8 months ago asking for help so thanks to all who did help). So its all working, you can order things and add to basket and all that, then you place your order and enter your details and credit card info.

Then I would go into an ADMIN section of the site and view the orders then click a button when I want to charge the card, it then uses a form to send away the total amount and user name and credit card details etc to a processing gateway.

I set up worldpay thinking I could do this, but then they said that the account I have the “select junior” account would not be compatible with this system, they want the people to place the orders on my site and once it comes to entering the credit card bit they want me to send over there name and address etc in a form but NOT to send the credit card but defer them to there site to enter there credit card details. In the contract of my account I should not take there card details on my server only on theres.

Now they say that there is another account that would suit me but theres legal issues I need to sort out. And I’m being told by joe to ring john and john says to ring joe. You know one of these muppet support teams which are really just routers

I have a merchant account number with Ulster bank aswell which is where worldpay would be sending the money.

So I’m basically asking, if I have a merchant account do I really need worldpay at all? And if yes, is anyone on a worldpay account which there able just to send the card details over to them in a form and whats the name of this account? Or would realax be better for me?

joePC

Have a look at this

misterq

You have a WorldDirect account and you are using the select Junior method which basically means that the customers enter their details on a secure Worldpay page, with you passing variables back and forwards.

If you want to charge via your site, you need:
a) A secure server/certificate
b) Some method of securely storing the card numbers on your server (be careful with this)
c) An INTERNET merchant account with Ulster Bank
d) The BankDirect service from worldpay, or use Realex

Ronan

paulthelegend

Sorry yea i have an internet merchant account with ulster bank. so if i buy a ssl then it shouldnt cost me any more? do worldpay charge more if you are doing it on your own server? and what secure method? would the ../ and put it on the root of my hosting be considered secure? or do i have to encrypt the numbers?

hostyle

LOL. welcome to the "third world" of the internet.

or do i have to encrypt the numbers?

What do you think?

misterq

the Bankdirect thing is completely different to WorldDirect.
You will need to get another account etc.
As far as I know, they charge a flat fee for putting through the transactions.

If your going to store the card numbers on your site, I would highly recommend encrypting them and storing them outside of the web directory (if stored in a file).

My rule of thumb would be that you need to have the numbers secure so that even if someone got into your account and could see all your files (even outside of the web directory), they still wouldn't be able to see the credit card numbers.

Exactly how & what is up to your server platform and the programs available on it (gnuPG for Linux is a well known encryption program).

paulthelegend

hostyle ... theres a test forum if you just like seeing your name on posts other wise stick to constructive comments, have you got one up and running and if so what way is it running?

misterq, yea i would be encrypting them and even at present if you get into the admin section you can not see any card numbers or see the location of the database file.

but i just got this email from worldpay

To be approved for use of an invisible installation requires approval by an
account manager, to get one of these requires sales of around
£750,000/year. As you may have guessed these installations are only given
out in exceptional circumstances. You should integrate via the standard
options unless you meet the above requirements

Is this a load of sh*te? ive been on a good few sites and ordered on them sites for good and im 100% sure they wernt hittin 750,000 sterlin. Has anyone here got a e-commerce site up and running and what way do youse do it? do you take the orders on your site then send them over to put in the credit card details on the worldpay site? or do you use some other companys and whats the method with them?

Im considering just getting one of those credit card machines and telling the bank ill be taking orders from online and they put up the transaction fee 1.5 - 2% does anyone have this system?

hostyle

Originally posted by paulthelegend
hostyle ... theres a test forum if you just like seeing your name on posts other wise stick to constructive comments, have you got one up and running and if so what way is it running?

I was being constructive (if a little obtuse). I've been down this road years ago. Its was all a shambles then. It is now also. Irish banks presume everyone is out to get them and refuse to get with the times. However, you are right. This is not the place for personal rants. I apologise (except for the "what do you think" bit - these are peoples credit card and personal details, of course they have to be encrypted.)

One other thing (which you may not see as being constructive either) - would you not have thought of checking this out before writing all your code? I know I did, and began months of frustration.

dynamic.ie

Here's what I think you should do....

Sign up with Realex (www.realex.ie)

Set up your checkout page (where they enter credit card details) to input customer information into your database and send the credit card details to realex. All on a secure server of course. In the sample code from realex, you can set your payment to delayed settlement. This means that you can have your order details, customer details, etc stored in your database without their credit card number. You get an email from your system saying a new order has been placed. Then you login to the realex system and find your order number. Then you authorise it! You never see the CC number and never have access to it so you don't have to worry about any encryption, security, etc. with the CC. Realex will handle that for you!

The added advantage this would have over your current set up is that when the CC number is sent to Realex, they will check that there is sufficient funds, the card is not reported lost/stolen, will check the CCV2 number and all that for you, while your customer is on the site. If there is a problem with the card, you can set your code up to tell the customer and get them to try again. Much handier to do this while they are on the site than trying to get them to come back and do it!!

Hope this helps.... Realex ain't to bad on price! Negotiate with them! And I'm sure your only on about 2/2.5% with Ulster Bank?!?

BTW... how long did it take Ulster Bank to set up your merchant account? They have never been able to set one up in less than 6 months for some of my customers!!

Best of luck!

Dave

chakotha

You could configure and set up your secure server on port 443 of your domain, then buy an SSL certificate like GeoTrust's QuickSSL.

To store the CC Nos. maybe use one of PEAR's encryption packages like Crypt_CBC to encrypt the numbers (if your using PHP) . Orders will not be processed in real time and you are accountable for the CC Nos. but this avoids the payment gateway charges or other third parties.