I am looking for a way to have a secure online order form to accept online orders. Anybody have any suggestions? I will run CC's offline.
Thanks-

You'll need a secure certificate from someone like Thawte (http://www.thawte.com) and get that installed. Alternately, if you are not a host, see if your host has a cert that you can use. Many hosts offer a server-wide cert for use by their clients. The form can be anything you want, as long as you call it securely, and as long as you retrieve the data securely from the server.

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

[This message has been edited by Annette (edited 08-15-2000).]

I know some companies will host the form on their secure server (securehosting.com) for a fee. Do you know of any others that offer similar services?

Originally posted by D:
I know some companies will host the form on their secure server (securehosting.com) for a fee. Do you know of any others that offer similar services?

another way you could do this is via paypal.com it allows the client to purchase your item via their CC or bank account (in the US) for free...Ive used this service alot and never had a problem.



------------------
Regards,
Dana
VeoWeb.Net Tech Support
http://www.veoweb.net

Originally posted by D:
I know some companies will host the form on their secure server (securehosting.com) for a fee. Do you know of any others that offer similar services?

Off the top of my head, no. But if I stumble across any, I'll be sure to post them up.



------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

Hi,

Please remember that just using SSL is NOT enough. Something has to encrypt the data once it gets to the server. SSL merely protects against sniffers until the data gets to the server, where it must *immediately* be re-encrypted!

Sincerely,


Vladislav Davidzon <davidzon@thinkhost.com> :-)
Senior Network Administrator - ThinkHost Web Hosting Services
http://www.thinkhost.com - honesty, reliability, trust.
We are the smart choice for all your web hosting needs! (TM)

This is why I mentioned in my original response that the data must be retrieved securely from the server. One step at a time - and SSL is the first step.

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

Annette,

Please explain what you mean by "retrieved securely from the server"

I mean exactly what I said: retrieving data securely from the server. There are a wide variety of ways of doing this, a direct shot via SSH, to secure web mail, to PGPMail, etc. This, however, is not the topic the original poster started.

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

Annette,

That was my whole point that you missed -- you can't just store the credit card information on the server without it being encrypted. That is, in itself, highly insecure and you're basically relying on the security of your server (or the specific permissions on the file as the case might be) for the credit card information. Given how many holes are discovered every day, this is extremely unreliable.

Do you follow what I mean? :)

Cheers,

Slava Davidzon
ThinkHost Customer Service http://www.thinkhost.com

No one ever said anything about storing data on the server unencrypted, since we have absolutely no idea what method the original poster will be using to gather data, but I'm sure that he appreciates the information. Since it's likely that it will be a simple mail script, I would certainly hope that anyone who cares enough to use a secure form on a mailer will also be concerned enough to use something like PGPMail to push the form output through.

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

[This message has been edited by Annette (edited 08-15-2000).]

I guess the easiest way to do what the orig poster asked would be an SSL connection with PGPMail. This encrypts it all the way to him.



------------------
Chris Marks
KBS Web Hosting (http://www.netfronts.com)
http://www.netfronts.com

I have to agree with Annette, PGPMail is probably the easiest way to go, although I know of one hosting company who just uses Formmail.pl to send credit cards over the net.

------------------
Karl Austin
KDA Web Services

Believe me, there's more than one. Consider the thousands of businesses out there, both hosts and otherwise - that's quite a lot of room for insecure transactions.

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

A few years ago before i aquired my merchant account, I put my products in Jumbo.com mall. They store the credit card info on a secure server for you to log in and retrieve later. They are free, the shopping cart really sucked but they supplied the source code which allowed me to change it.

They are still around so they must be doing something right, so maybe try them out just to use their shopping cart and secure server.

http://www.equifaxsecure.com/

They have ssl certs at only $45. Much lower than thawte and verisign. I might sign up with them, anyone have any opinions?

Add kagi.com to the list of providers of that type of service, too.

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

Regarding marksy's comments on SSL and PGPMail, how exactly does that work? Does SSL encrypt it to the server and then the PGPMail sends it securely to my email box?

Looking at site now.

[This message has been edited by Admin (edited 08-16-2000).]

Make sure and email your host and ask them if they support Equifax Secure Certs. Since most browsers do not support Equifax Secure Certs your users will get a popup saying the cert is signed by an untrusted company, if installed incorrectly.

Equifax Secure Certs can work correctly but the host will need to edit some conf files for you. These changes are needed because Equifax is actually using Thawte as their CA.

Regards
Michael


[This message has been edited by Michael (edited 08-16-2000).]

Originally posted by D:
Regarding marksy's comments on SSL and PGPMail, how exactly does that work? Does SSL encrypt it to the server and then the PGPMail sends it securely to my email box?
SSL encrypts from the browser to the server, PGP then encrypts the details with your public key and emails the information to you so that you can decrypt it with your private key.