www.webdeveloper.com
Results 1 to 5 of 5

Thread: Storing customers Card or bank account details.

  1. #1
    Join Date
    May 2011
    Posts
    3

    Storing customers Card or bank account details.

    Hello, i'm new here. I'm a developer and run my own web development and design company. Hello everyone . I hope i have the right forum for this, i had a look around and this seemed to be the most fitting.

    I have recently agreed to perform research into the feasibility of a very large website for a client. To cut to the chase in order for it do what the client requires i believe it will need to store customer payment details on the website, such as card details or bank account numbers. Firstly i was very skeptical and now after reading up a lot of information i have come to the conclusion this should not be done. Despite this, if the site was to be hosted on a dedicated server with an SSL certificate and a database that stored this information with encryption, would it be possible and worth creating it from a security and legal point of view? I'm still very skeptical.

    Now this next bit may sound a bit weird but i'm afraid the clients idea is to remain secret. Just bear with it. Now the reason i believe storing the payment information on our own server is the only way to achieve what they want is that; this information, only at the clients request, will be entered on different websites and a monthly direct debit will be set up from the clients account to the other sites. The amount, what company etc will all be at the clients discretion we will just streamline the signup process.

    Is there a third party system that already exists that could take the clients payment details, store them securely, then allow access to them in order for us to sign them up to other sites?

    Is this legal? Should this be done?

    I'm very skeptical about this and sure lot's of people will have some strong opinions, so please share.

  2. #2
    Join Date
    May 2011
    Posts
    3
    302 views no replies? : /

  3. #3
    Join Date
    Dec 2005
    Posts
    2,984
    Nothing here sounds necessarily illegal to me. You've probably already come across this, but just in case you haven't, it is not allowed by the credit card companies to store the 3 (or 4) digit card security code (CSC) located on the back of credit cards and required for card not present transactions....but like you said, you don't like the idea of storing the info anyway.

    I don't think I could get any of my clients enough insurance in the world to feel safe in doing such a project (but that's just me).

    The only thing that comes to mind is that PayPal offers an option called DoReferenceTransaction where basically you just need a transaction id from a previously valid transaction performed by the client (like one performed at signup) and you can just reference that transaction number and pass in new transaction information and the client will be charged, all without ever having to re-enter their credit card details.

    Takes a lot of scrutinizing and about a year (from what I've read) for PayPal to enable this feature on your account, however.

    Good luck with your project.
    I've switched careers...
    I'm NO LONGER a scientist,
    but now a web developer...
    awesome.

  4. #4
    Join Date
    Jul 2010
    Location
    /ramdisk/
    Posts
    865
    I'm glad aj_nsc gave this one a shot.

    From this it sounds like you have a level head on your shoulders:
    Despite this, if the site was to be hosted on a dedicated server with an SSL certificate and a database that stored this information with encryption,
    I don't even touch CC info- if you ask me that's nothing but trouble.

    Not that it's much to add but there is a program mysql_secure_installation that will cover some of the very basic requirements.

    Consider setting up SSL on mysql also (even if it's just 1 hop away). Lots of nifty attacks exist out there w/ HPING3.
    I use (, ; : -) as I please- instead of learning the English language specification: I decided to learn Scheme and Java;

  5. #5
    Join Date
    Mar 2006
    Location
    Northern UK :((
    Posts
    668
    Quote Originally Posted by eval(BadCode) View Post
    I don't even touch CC info- if you ask me that's nothing but trouble.
    Quote Originally Posted by aj_nsc View Post
    but like you said, you don't like the idea of storing the info anyway.

    I don't think I could get any of my clients enough insurance in the world to feel safe in doing such a project (but that's just me).
    Quote Originally Posted by RefinedJam View Post
    I'm very skeptical about this and sure lot's of people will have some strong opinions, so please share.
    Trust your initial misgivings!

    As badcode and aj_nsc said, I would also have severe issues in doing such a thing.

    Everything screams to me "run and dont look back" especially when the client wants it to remain "secret" ... That isnt feasible, there are no secret IT systems ! Also from a customer standpoint, they want to know exactly how their data is being used and stored.




    Dont get me wrong, there are legitmate reasons for storing financial data such as CC records, but from your description of the situation, I dont like the sound of this venture one bit!




    The true question is, are they paying you enough, can you waive liability to a certain extend and do you or the company have liability insurance in place?
    99 little bugs in the code, 99 bugs in the code, fix one bug, compile it again ... 101 little bugs in the code

    An important petition, regarding your human rights:
    https://www.change.org/en-GB/petitio...r-both-genders

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles