Hello, i'm new here. I'm a developer and run my own web development and design company. Hello everyone :). I hope i have the right forum for this, i had a look around and this seemed to be the most fitting.

I have recently agreed to perform research into the feasibility of a very large website for a client. To cut to the chase in order for it do what the client requires i believe it will need to store customer payment details on the website, such as card details or bank account numbers. Firstly i was very skeptical and now after reading up a lot of information i have come to the conclusion this should not be done. Despite this, if the site was to be hosted on a dedicated server with an SSL certificate and a database that stored this information with encryption, would it be possible and worth creating it from a security and legal point of view? I'm still very skeptical.

Now this next bit may sound a bit weird but i'm afraid the clients idea is to remain secret. Just bear with it. Now the reason i believe storing the payment information on our own server is the only way to achieve what they want is that; this information, only at the clients request, will be entered on different websites and a monthly direct debit will be set up from the clients account to the other sites. The amount, what company etc will all be at the clients discretion we will just streamline the signup process.

Is there a third party system that already exists that could take the clients payment details, store them securely, then allow access to them in order for us to sign them up to other sites?

Is this legal? Should this be done?

I'm very skeptical about this and sure lot's of people will have some strong opinions, so please share.

302 views no replies? : /

Nothing here sounds necessarily illegal to me. You've probably already come across this, but just in case you haven't, it is not allowed by the credit card companies to store the 3 (or 4) digit card security code (CSC) located on the back of credit cards and required for card not present transactions....but like you said, you don't like the idea of storing the info anyway.

I don't think I could get any of my clients enough insurance in the world to feel safe in doing such a project (but that's just me).

The only thing that comes to mind is that PayPal offers an option called DoReferenceTransaction where basically you just need a transaction id from a previously valid transaction performed by the client (like one performed at signup) and you can just reference that transaction number and pass in new transaction information and the client will be charged, all without ever having to re-enter their credit card details.

Takes a lot of scrutinizing and about a year (from what I've read) for PayPal to enable this feature on your account, however.

Good luck with your project.

I'm glad aj_nsc gave this one a shot.

From this it sounds like you have a level head on your shoulders:
Despite this, if the site was to be hosted on a dedicated server with an SSL certificate and a database that stored this information with encryption,

I don't even touch CC info- if you ask me that's nothing but trouble.

Not that it's much to add but there is a program mysql_secure_installation that will cover some of the very basic requirements.

Consider setting up SSL on mysql also (even if it's just 1 hop away). Lots of nifty attacks exist out there w/ HPING3.

I don't even touch CC info- if you ask me that's nothing but trouble.

but like you said, you don't like the idea of storing the info anyway.

I don't think I could get any of my clients enough insurance in the world to feel safe in doing such a project (but that's just me).

I'm very skeptical about this and sure lot's of people will have some strong opinions, so please share.

Trust your initial misgivings!

As badcode and aj_nsc said, I would also have severe issues in doing such a thing.

Everything screams to me "run and dont look back" especially when the client wants it to remain "secret" ... That isnt feasible, there are no secret IT systems :p! Also from a customer standpoint, they want to know exactly how their data is being used and stored.




Dont get me wrong, there are legitmate reasons for storing financial data such as CC records, but from your description of the situation, I dont like the sound of this venture one bit!




The true question is, are they paying you enough, can you waive liability to a certain extend and do you or the company have liability insurance in place?