Hi! I'm wondering if it is safe enough to transmit credit card information using the FormMail.pl script? The script will email me all the information that users enter in the form.
I did use https (secure server) for my order page, and the form action to call the script. Will this be secure enough, or people can still hack on the email, etc? If this is not safe, what is the best way to get credit card information from users? I have a merchant account from Quickbook, but I dont think I can link that to my website, can I? :(
Thanks a lot! :)

SSL will protect the transmission of data from the client to the server, but you will still be trasmitting the data as plaintext between your hosting server and your e-mail server. And then again from your e-mail server to you. So no, this would not be secure. Once you have the data on the server you will have to store it. 1) Make sure your database does not have read permissions for anyone except the owner, so the public cannot see it, and 2) Encrypt the data. Do not attempt to write your own encryption scheme. It is far more complicated to develop a secure algorithm that you might think. And you can't take chances with people's credit card information. Use the Advanced Encryption Standard (http://csrc.nist.gov/CryptoToolkit/aes/), which is available as a Perl module (I would provide a link to the Perl module but the site appears to be having technical difficulities at the moment).

so you are saying instead of sending it as an email to myself, just write it to a file in my server, and then encrypt it? (is that i only have write permissions to other? nothing for the group, and rwx for owner?)

can you pls tell me how to encrypt the data? i went to http://csrc.nist.gov/CryptoToolkit/aes/ but i'm totally lost, cos i dont know anything about encryption.

thank you so much for your help! :)

There is a Perl module (Crypt::Rijndael) that you can have your host install on your server. You would be able to download the module yourself and read the documentation for the interface from CPAN (http://search.cpan.org/), but the site seems to be having trouble at the moment.

actually i'm thinking, wouldn't it be safe if i send the email through my host email server? cos my host provide me with email address, and since i'm checking my emails online (they provide online email access) without downloading it to my machine, won't it be safe enough? i mean the host company will have all those firewalls etc to prevent people from hacking right? pls correct me i'm wrong... :p

just trying to get the easiest way out from this, haha... cos i dont think i know how to do that Crypt::Rijndael that you're talking about..

thanks again for your help! :)

The host sendmail program may be clever enough to spot messages going back to its own account, but then again it may not. The HTTPS server and the SMTP server may not even be on the same computer. And the SSL protocol (HTTPS scheme) must be used when viewing your e-mail, otherwise it is trasmitted as plaintext from the mail server to your computer. There are an awful lot of assumptions in this process.

If you're looking to receive payments online then the easiest way is actually to work through PayPal. This way you won't have to worry about securing credit card information at all.

hmm... i just read some horror stories about paypal at http://paypalsucks.com/forums/

should i be worry about that??? kind of now... :(

Sort of. It is a scam centered around PayPal, but is not the fault of PayPal. It is a simple e-mail that appears to come from PayPal, but does not really. This e-mail provides you with a link to a domain that resembles PayPal's, but again isn't the real domain. It would then ask you to login (thus providing your user/pass info) and the owner's of this fake site would receive your information. PayPal currently appears to be the biggest target, but the scam could be applied to any site login.