| Commerce Checkout System Confirmation Page |
[eluser]ACSparks[/eluser]
I am writing a commerce cart checkout system. The normal checkout procedure seems to be: 1. Enter Shipping Info (submit page) 2. Enter Credit Card Info (submit page) 3. Verify Info (submit and process credit card info entered on previous page) I am concerned with the transition between steps 2 and 3. I really do not want to store any credit card information, but it appears that I will have to (at least temporarily). What is the best way to handle the data storing and transition between pages? Session, temp store to DB? Should it be encrypted? Thanks ahead for any input!
[eluser]Glen Swinfield[/eluser]
Handling credit card details is not really something you should be doing unless you are absolutely 100% certain you know what you're doing. You should probably be encrypting the data, and using secure http etc. But to be honest I'd leave credit card detail handling to a third party. Paypal, Worldpay etc. And concentrate on building a good app that collects all other less sensitive data and in a way that will make it integrate easily with third party systems.
[eluser]ACSparks[/eluser]
I am using a payment gateway to handle the credit card processing. The issue is simply: what is the best/safest way to "remember" the sensitive data for the confirmation page.
[eluser]Glen Swinfield[/eluser]
You don't need to remember any credit card details - how can you if the user has never given them to you? The user in this case should only give their credit card details to the payment processor. The payment processor will send details back to you, along with an order ID or something so that you can record that that person has paid. Why would you use a secure payment processor to take payment but ask the user for their credit card details anyway? I have never made a payment online - through PayPal for example, and then had the originating site come back to me with my full payment details. As for remembering other data from one page to another use a session, or create a record in a DB table, encrypt it (if necessary) and store it there. Use shttp when collecting personal data. Quote:1. Enter Shipping Info (submit page) Should probably be: 1. Enter personal details (submit page - record details with order ref in DB) 2. Pass order ref (and product codes etc if needed) to payment processor (user enters CC details - payment is processed) 3. payment processor passes order Ref plus "Paid" back to you. 4. Mark your DB record as payment confirmed & send email confirmation (from DB record email and name) ;-)
[eluser]Glen Swinfield[/eluser]
I meant to add: If you are set on taking care of the whole process yourself and literally just making the payment through a third party it may be worth downloading OSCommerce (or at least the documentation) and having a look how they deal with it.
[eluser]ACSparks[/eluser]
Thanks for the advice; I will check out the OSCommerce code. I actually do need a very customized shopping cart/checkout system, which I why I need to collect the information. I am very familiar with SSL certs and security concerns, and was just wondering what the best practice would be to implement a checkout confirmation page.
[eluser]Unknown[/eluser]
Most payment gateways will return information that you can base your confirmation page off of. (ex. approved, declined, transaction code, etc...). Best thing I could suggest is find the gateway you would like to use take a look at the api manual (if it is available without signing up for the service and learn how to process the response codes). Many gateways will also allow you to create a test account on a test server when your a developer whether or not you actually use their live service and simulate approved and declined transactions. I hope this helps in some way...
[eluser]obiron2[/eluser]
dont forget to trap for page refresh / resubmit of the forms with CC payment request. 
[eluser]Unknown[/eluser]
The best way to process credit card payments would be through using a merchant account. I've been using cardservicesales.com to process my payments and it's worked great. You can also try paypal to accept payments.
[eluser]Chop[/eluser]
While you should listen to the advice on these forums and educate yourself thoroughly on credit card processing, it sounds like what you are looking for is an AUTH with a delayed CAPTURE. Most credit card processing gateways allow you to specify the type of transaction. Most people new to credit card processing implementation go straight for AUTH-CAPTURE transactions. AUTH is the step in the process where the credit card company acknowledges that there are funds available to pay. CAPTURE is the process of actually transfering those funds. You wouldn't know it to look at most carts, but that is a two step process. In AUTH-CAPTURE transactions you submit the payment information to your gateway and things happen all at once. In your case, where you want to show the page back to the user for confirmation - if you think about it, it would be a real pain if the user had mistyped their credit card info. You'd have to send them back to step two. The secret is to perform an AUTH in that step two. Your gateway should return back a transaction id if the CC information is correct. Then, the confirmation page simply submits that transaction number (or transaction id) with the CAPTURE command. See that? You took two steps and you didn't save any credit card info. Of course the technical details of how to pull that off will differ a bit depending on who you're using, but that's the general idea. Hope it helps. |
| Welcome Guest, Not a member yet? Register Sign In |
