Securely Processing Credit Cards in FP

[Michelle]

I have a Website that accepts Credit Card payments and I want to avoid the
numbers from being stolen Online. Can anybody please describe how to create
the form so that Credit Card numbers on the confirmation page appear as ****
**** **** 1234 instead of 1234 2345 3456 4567, but show the correct numbers
to me after the numbers are submitted for processing?

 

[Jens Peter Karlsen[FP MVP]]

You should not do that. The confirmation page shows the user what he
submitted and only him/her. Remember that the confirmation is not
available for others to see as it is generated each time the form is
submitted. Once you navigate away from it or closes the browser, it is
gone unless the user chose to print or save it on his/her own computer.
There is no additional security here.
Where security does come in is in how you store the entered number on
the Server and security of the database there.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

 

[clintonG]

The HTML Form input element accepts the type="password" attribute which will
display **** characters to mask the input of whatever is typed into the
textbox. What is sent between pages should be encrypted by SSL. The credit
card numbers stored in the database should be encrypted and decrypted as
required which is not done by SSL. Code needs to be written to do so. Any
confirmation page should never display the credit card number to anybody.
The user who conducted the sale already knows their credit card number. Only
display the last four digits as you surmise.

To actually display what you want requires scripting. The card number is
captured when it is first entered into the form and all but the last digits
are converted to star characters and the whole string of characters is
stored in a session variable so it can be accessed and displayed in a
confirmation page (who knows how many pages later). That will prevent
'shoulder surfing.' To encrypt and decrypt the card numbers stored in a
database requires additional coding.

 

[JBL]

As someone who has seen enough identity theft in the world. Please do not
attempt to process credit card transactions on your own. There are plenty of
services that will do it on the cheap, for example PayPal. They will just
charge a nominal fee for each payment received.

 

[clintonG]

You make a good point and while we may be on the same page we are not in the
same paragraph. Nobody is talking about the payment processor -- yet -- and
for the record I use PayPal myself but only because e-commerce is not my
primary business service. I do not recommend PayPal to anybody who is
conducting e-commerce as their primary business service. We are discussing
the confirmation page which if I am not mistaken continues to remain FU when
using PayPal.

BTW -- I've written payment processor interfaces from scratch (Ticket Master
of Canada) and customized many others. One of the secrets of e-commerce
success is actually no secret at all. That is, a smooth and unhindered
trouble-free consistent experience from the buy button to the confirmation
page is what works best. PayPal inerrupts that process or did last time I
looked. Maybe their new web services obviate the need for their
interruptions but I doubt it. Would you know?

--
<%= Clinton Gallagher
METROmilwaukee "Regional Information Services"
NET csgallagher AT metromilwaukee.com
URL http://clintongallagher.metromilwaukee.com/