I am setting up order pages for my website and I was wondering how this can be done relatively easily. I have access to a secure server and will be using hostcharge for processing the CC's but how exactly would you go about setting up the order pages?? Should I use something like formail to dump the info to a file on the server. I am aware that most people don't have to worry about anything like this when using REvecom and 2checkout as you use their order forms. Is there anybody doing it the way I am trying to set it up. If so could you please give me an Idea about how you went about it??? :) :)

Thanks For your help!!

If cc numbers are involved, do not dump to a file on the server. That is just asking for trouble.

It appears that you should be able to set up a system that will process straight to their gateway without the need to dump the info anywhere. I don't have their development docs, so would know how.

Originally posted by Marty
If cc numbers are involved, do not dump to a file on the server. That is just asking for trouble.

It appears that you should be able to set up a system that will process straight to their gateway without the need to dump the info anywhere. I don't have their development docs, so would know how.

First of all, HostCharge.com does not allow you to use them for real time transactions like we can use 2CheckOut or any other third party processor.

The best way, also recommended to me by HostCharge people is to have order pages on secure server and then have the PHP script secure the information, crypt it and then e-mail the order information to you.

Let me know if I can be of any other help!


Salam,
-Omair

You would'nt have any instructions on how this could be done. I would really appreciate it. Thanks for your help!! :) :)

Originally posted by ronan675
You would'nt have any instructions on how this could be done. I would really appreciate it. Thanks for your help!! :) :)

Instructions on what?

i). Setting up a secure server?
ii). Using PGP to secure the information filled up by the client on the order form?
iii). E-mailing the form contents?


Salam,
-Omair

The secure server is setup but how do I setup PGP. I have never used it before. And how do I e-mail the form contents. :)

3- Email the form contents is actually really easy.. theres alot of scripts that will do this (www.hypermart.com/scripts)
Frontpage Extensions also enable this feature as well..

laterz..

You can make your own encryption routines? Its not so difficult, i would suggest you use php to do that. As far as mailing, that is just one line of code:

mail("email address goes here","subject","body","From: Name here <email@domain.tld>");

hope this helps a little :)

regards, asher

You can set up your order pages in several ways and I would not recommend to store credit card numbers on your server. I think hostcharge would not be the best solution, because they don't have a verified SSL certification for their own secure server which does not look very professional.

You have two options to process the payment for your customers.

1) Use a predefined form that you can set up with your cc processor and send the people to this page.
2) Usa a gateway and call the cc processor's pages from your secure server to send the cc-numbers and other information in the background

Solution 1 is much easier but this would mean you send the customer to another page which sometimes irritates the customer so that they might leave your site before ordering anything.

Solution 2 is more challenging because you need special features on your server (like curl with Open-SSL) to make a connection from your server to the cc-processor's server and send the data over. The advantage is, that your customer never leave your site and the processign is working transparently in the background.

Which solution you need depends on your budget (Solution 2 is more expensive in terms of development-hours) and how professional your order pages should look.

I already implemented these solutions for netbilling.com and authorize.net. As a developer I prefer authorize.net because they have better documentation and fewer bugs in their gateway. Unfortunately, they don't offer recurring billing, but you can use a batch upload feature for the monthly billings.

Marian

Well thank you for putting us down! :eek: You havent even tried or know our solution, so next time please try before you pass your opinon, we already have a solid merchant database who are doing transactions without any problems and are very satisfied.

The only reason we're using a self-signed cert is because our equifax is pending, it should be up soon. Also the job of the cert is same, and that is encrypting so I dont see any problems for it as a temporary solution.

Originally posted by heddesheimer
You can set up your order pages in several ways and I would not recommend to store credit card numbers on your server. I think hostcharge would not be the best solution, because they don't have a verified SSL certification for their own secure server which does not look very professional.


Does using a self-certified certificate as a temporary solution means that it aint suitable to go with? :mad: I would say that it is very good of the representative of the company to clear things up. Secondly, your clients would be using YOUR secure area to fill up the form and you would be the one using their's, right? So whats the problem. Bearing the notification error that appears once you login isn't a problem, atleast for me. And most of all, that would go in few days.

As a conclusion I would say that it depends on your requirements that whether HostCharge would be a good solution for you or not. You can share your experience with us after you try them out.

As from my side, I would be signing up with them when they get few other things setup. And to clear things up that DOES NOT includes the SSL thing.


Salam,
-Omair

Originally posted by ^Kyo
Well thank you for putting us down!

Sorry, It wasn't meant to put you down. I just think from the customer's point of view it looks very strange if a warning pops up that the cert is not recognized by the browser. I am living in Europe and we have a lot of web users here who turn off their cookies because they are afraid somebody could peek on their computers :)

Maybe you don't care so much about certs in the U.S. but here in Europe (and maybe other places on the earth) many people just abort the payment process if they see a warning message.

Marian

You realize we provide merchant accounts, hence we know all about security to an extent that our programming keeps credit card data secure. And a self-signed cert is absolutely no different from an equifax, verisign or thawte. our merchants use our cert without any problems. so i just thought i would clear up any misunderstandings. :)

Originally posted by Omair Haroon


Does using a self-certified certificate as a temporary solution means that it aint suitable to go with? :mad: I would say that it is very good of the representative of the company to clear things up. Secondly, your clients would be using YOUR secure area to fill up the form and you would be the one using their's, right? So whats the problem. Bearing the notification error that appears once you login isn't a problem, atleast for me. And most of all, that would go in few days.

As a conclusion I would say that it depends on your requirements that whether HostCharge would be a good solution for you or not. You can share your experience with us after you try them out.

As from my side, I would be signing up with them when they get few other things setup. And to clear things up that DOES NOT includes the SSL thing.


Salam,
-Omair


Thanks Omair for clearing up the mess ;)

Originally posted by ^Kyo
You realize we provide merchant accounts, hence we know all about security to an extent that our programming keeps credit card data secure. And a self-signed cert is absolutely no different from an equifax, verisign or thawte. our merchants use our cert without any problems. so i just thought i would clear up any misunderstandings. :)

It doesn't matter how much you know about security if the customer is clueless. The average customer doesn't know that a self-signed cert is equal in security to one from thawte, because they get a pop up warning telling them it's not trusted.

It may work, but doesn't look professional. Which probably will deter them, despite how much you know about security. ;)

Yeah I know what you mean, geotrust are taking a hell of a lot of time in coughing up our cert (dunno why? :confused: ) At any rate by a week our secure site for transactions and our MCC will be up.
Anyway 95% of our clients have no objection to the self-signed and infact *most* of them have requested one for their site from us! :D :D

- Asher.

I plan on using HostCharge for my processing.

I'm going to be using SSL (of course - not self signed :) ), php based form, encrypted with mcrypt, and everything is securely emailed to me for entry.

Everything will be processed securely, as well as encrypted securely.

I'm going to be using SSL (of course - not self signed ), php based form, encrypted with mcrypt, and everything is securely emailed to me for entry.

But is it really secure to use mcrypt? Maybe I'm wrong, but is not the key to decrypt it later in the php file to encrypt it as well?

Mike

Originally posted by rockergrrl
I plan on using HostCharge for my processing.

I'm going to be using SSL (of course - not self signed :) ), php based form, encrypted with mcrypt, and everything is securely emailed to me for entry.

Everything will be processed securely, as well as encrypted securely.


Everything is great untill you said mcrypt...

mcrypt doesn't use public and private keys for encryption and decryption like PGP an GPG does...

You encrypt with a pass phrase, and you decrypt with the same pass phrase.. So you would need to hard code the pass phrase to the script which would let someone see how to decrypt it...

The only thing I can think of to help lessing the possible security breach is to encode the PHP document... But that isn't fool proof...