: Accept Credit Cards / PayPal on Website for Delayed Processing I'm trying to setup a basic system on my site to accept credit cards for delayed processing. What I will be doing is collecting
I'm trying to setup a basic system on my site to accept credit cards for delayed processing. What I will be doing is collecting a bunch of orders/credit cards for a group of people, then after a certain period I will need to process those cards and make the charge.
This is so that a group of people can individually place their order knowing that their card will be processed in X number of days once everyone has placed their order from the group.
My question is what would be the best way to go about doing this? I want to ensure I am accepting Visa/Master Card/American Express and possibly Discover Card. Also, with this system would it be possible to accept Pay Pal information so that I could then process that instead of a credit card for their Pay Pal account?
Also, what is the best way to store these credit cards. Obviously a secure DB and a page that uses SSL for submitting their order, but what all do I need to accept? Obviously card number, CVV, Expiration Month, Expiration Year, can this all be normalized in a database. And what would you recommend for encrypting/decrypting these cards? I will need to decrypt them for processing later on.
Any advice on any of my questions would be great.
More posts by @Reiling115
5 Comments
Sorted by latest first Latest Oldest Best
Not sure why this very old question got bumped, but if someone stumbles on this question I'll add something that didn't exist at the time but can be quite useful.
For those looking to do this, and haven't yet picked a credit card processor, you might look into using Stripe.
Their (extensive, well documented) APIs allow you to store credit card details on their platform, without the data ever going through yours (so this avoids all the PCI DSS security audit requirements), but with the credit card input still being completely integrated in your website.
Stripe then returns a token for the card (or customer, as you can store multiple cards for a single customer), and you can then use it whenever you need to process a charge.
Use a service like Authorize.Net's Customer Information Manager. It is designed to do exactly what you want. It stores the credit card information for you as a customer profile. You then refer to that profile to make future purchases without needing the customer's credit card information again.
Here's the problem with doing something like this. You can't charge the person's card up front...so you <> hold onto it...maybe by an authorization, maybe via using a card company to do a save, but definitely not on your own server....anyways, the person goes to finalize the purchase days later and just happened to buy a new PC, which wipes their credit limit down to . Now what? They're short of a hypothetical 0 purchase that the system allowed them to make several days ago. Not a good UI event.
My company deals with re-bills on a daily basis. They stink. Both from a programming side of things and customer service standpoint. I can't tell you how many times we've heard "I didn't authorize that..." Oh, but the fine print says you did!
PayPal could work for this delayed method. But from so many different points of view, I wouldn't touch a delayed transaction with a payment processor like PayFlow.
Avoid storing credit card data if at all possible. There are a whole load of legal issues surrounding it (e.g. there is almost no situation in which you can store the CVV), and you open yourself up to liability if your site ever gets hacked.
If you have to go down this route, to start with you should familiarise yourself with PCI DSS, which is the standard for storing card data (and a legal requirement here in the UK at least). You will also need to check with your host to ensure they are PCI compliant (i.e. they have the necessary levels of physical security protecting the servers where this data will be stored).
Some payment gateways offer a kind of authorise-now-pay-later feature, where you submit the card details and amount to them and they send back a unique token that you can safely store. You then resubmit this token at a later date if and when you want to perform the transaction. This way you can still offer your delayed payment but without having to store any sensitive data yourself, so this is what I'd recommend looking into.
Edit: I believe Authorize.net is a big US gateway - with their 'Advanced Integration' API they have an Authorization only mode which does what I describe above, although the token only lasts for a maximum of 30 days. So perhaps this might work for you.
The short answer on storing credit card details: DON'T
See Storing credit card details for a good discussion.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.