I am writing a booking system using a set of programs written in php, which creates html pages for viewing on a website.
I want to present the user with a form in which they will enter personal info including credit card. I understand that the page they see must have the name https://www.inv...... instead of http://www.inv...... . I know this is so that the info they enter will be encrypted. But how do I make this happen? I have no idea what to do. Is anyone familiar with this subject?
11 years
You have to buy a SSL certificate...your hosting company might already have this option, which is the easiest, but you can do it independently through other companies such as globalsign,digicert or verisign. The certificate will be matched to the domain name. More info here http://www.digicert.com/ssl.htm
Remember, you will also have to ensure the php code encrypts the card numbers using possibly PGP and doesn't send them or store them anywhere in the open.
11 years
Stuart: Thank you for your info and for the reference, which tell me vastly more than I had found out hitherto. Even so, the subject is clearly very complicated and substantially expensive. So I think I must first look to see if the facility I want is included in services that various companies offer, esp those which provide card readers. There is also a scheme run by Paypal which looks of interest.
Do I gather that the certificate would be set up to apply to just to a particular web address eg www.myhostel.com/booking.php , (which is what I want), and not to the whole site?
I am a complete beginner in this subject, and I do not know what PGP is.
11 years
No, it is linked to the domain name, so www.myhostel.com. But you can still have the rest of the site as normal, and then the booking part is linked to as https. Some companies, such as google, are moving to using https only..the issue used to be speed, but the hardware is better to support it these days.
PGP is for encryption. Obviously you cannot store credit card numbers in their normal form on the webserver as they could be hacked. And if you want the booking to be emailed to you, then you have to make sure the credit card number is either not included, or the email is fully encrypted. PGP is the tool that turns a normal piece of text into gobbledygook..which only you can decipher by using a passphrase. I remember it being quite a pain to set up, but it might be easier these days.
I agree that it is quite complicated to install yourself, particularly when you consider the PCI compliance rules the credit card companies have. I have previously done what you are trying to do, back in 2000, but these days I wouldn't consider it. At my last hostel I used Backpack Online, and that is what I would use again. That way the PCI stuff is mostly their responsibility.
Paypal is good, in that you don't need to bother with credit card numbers, but then you would either have to require prepayments, or just take a deposit with no way to charge for a no show. And they take a good percentage, between 2 and 3% probably, without the benefits you get from Hostelworld (ie listing on Hostelworld). I don't know how other credit card processing companies deal with the idea of a credit card guarantee, but I do know they are a hassle to set up, and usually charge a high monthly fee.
Of course, the other option is to not require a credit card guarantee, which would make the form much easier, but of course with many more no show possibilities.
Related Pages
Log in to join discussion