SSL Session Security
I am building an online store for my company. Customer are able to buy one of our products from our website where we charge there credit card. We have purchased and installed an SSL cert on the server through our ISP. What I am wondering is that I store the credit card, expiration date and CVV code in a session variable to transfer to the script that sends the information to the merchant gateway. My question is, that if all this is happening on the secure https pages, how much risk is there of session hijacking and someone getting a customers CC information?
If you are concerned about your legal liabilities if someone steals credit card and other personal information for which you are responsible for storing securely, then another option could be to use PayPal to process your customers' online payments.
If you like have a look at the info on how to integrate PayPal into you website at:
1) You can use your own customised shopping cart or Paypal's shopping cart.
2) When your visitor wants to checkout, the details in their shopping cart along with any other details you choose are sent to Paypal's secure online payment page where the shopper will have the option to use their credit card or paypal account to make their payment.
3) Paypal then handle the online payment and credit your Paypal account with the payment.
4) You have the option to customise the Paypal payment pages to include your company logo and background colours so that they maintain at least to some extent the look and feel of your website.
5) When the shopper has finished their online payment you have the option to have paypal send them back to a 'Thank You' or whatever page on your website.
I've integrated Paypal into some online stores I have built using my own shopping cart and the Paypal online payment option works well.
Using Paypal, you don't have to worry about storing shoppers' credit card details.
Anyway, just food for thought. :)