Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Safest way to pass credit card number through a multi-step form?

On step 3 I have a form which accepts a credit card, Step 4 re-prints the information including the last 4 digits of the credit card, and Step 5 I need to know the full CC # to process it and send it through my https connection to a 3rd party vendor - should I store it through hidden inputs or $_SESSION so I can access it in between the 3rd and 5th step?

FYI: My entire site is already https'd.

like image 823
meder omuraliev Avatar asked Feb 16 '10 23:02

meder omuraliev


2 Answers

Take the credit card number as the last step so you don't have to store it. There are many legal issues around storing that information.

like image 122
Chris Avatar answered Nov 07 '22 04:11

Chris


SSL won't protect data stored on disk. Additionally, PHP session data is stored by default in the file system under a temp directory with minimal permissions. So not only is the data stored in plain-text but also can be accessed by many different system users (depending on your web server configuration).

If you want to implement a multi-step checkout process I'd suggest doing some AJAX/Javascript magic on the browser side. You can collect the billing information using a series of DIVs that are hidden/collapsed and post the complete data set in one go, sending the CC data one-time to your server, which then relays the CC data to your payment processor.

like image 28
leepowers Avatar answered Nov 07 '22 02:11

leepowers