How do I use secure content from a form on an SSL page?
Permalink 1 user found helpful
I've looked through a lot of posts and don't believe this question is there, but basically I have a client that wants to take credit card details for a service...and this is my first time working with an SSL certificate.
We don't need SSL across the whole site, but the idea is that once I have installed the certificate we want a secure page with a form for the end customer to enter their details. Once they press Submit the idea was to take them them to another secure page to enter their credit card details (or I guess it could all be on the one page).
1. How do I make the individual pages secure (ie.http://....)?
2. How do I secure/encrypt the form contents?
3. How does the customer then get the contents and decrypt them?
4. And finally, am I on the right track?
If this is actually a general security question rather than a C5 question my apologies, but if someone could at least point me in the right direction I would appreciate it. Thanks.
We don't need SSL across the whole site, but the idea is that once I have installed the certificate we want a secure page with a form for the end customer to enter their details. Once they press Submit the idea was to take them them to another secure page to enter their credit card details (or I guess it could all be on the one page).
1. How do I make the individual pages secure (ie.http://....)?
2. How do I secure/encrypt the form contents?
3. How does the customer then get the contents and decrypt them?
4. And finally, am I on the right track?
If this is actually a general security question rather than a C5 question my apologies, but if someone could at least point me in the right direction I would appreciate it. Thanks.
Sorry Jordan, I relaised that I had a system crash when I was replying to your reply, so am only doing so now. Thank you for your quick reply.
I'm in Australia and yes I know about PCI DSS, I guess I was just trying to work out a simple way of keeping personal and credit card details separate without going down the full e-commerce route (ie. the separate pages) however your comments make me realise how stupid my thoughts were ;-)
I had already told the client we would need to implement through PayPal - which I told them could do credit cards as well as PayPal account holders - they just didn't like the extra few percent.
Your link to the force SSL page add-on is great, thank you, and I've also found another add-on that I think will work well Forms With PayPal / Credit Card Paymenthttp://www.concrete5.org/marketplace/addons/forms-with-paypal-payme... which has a standard looking C5 form (like I was originally thinking of implementing) but then takes it to PayPal for the actual payment process. I'm thinking I will get this, force SSL for the form entry page and we should be good.
Any immediate dramas you can see?
Cheers,
Brett...
I'm in Australia and yes I know about PCI DSS, I guess I was just trying to work out a simple way of keeping personal and credit card details separate without going down the full e-commerce route (ie. the separate pages) however your comments make me realise how stupid my thoughts were ;-)
I had already told the client we would need to implement through PayPal - which I told them could do credit cards as well as PayPal account holders - they just didn't like the extra few percent.
Your link to the force SSL page add-on is great, thank you, and I've also found another add-on that I think will work well Forms With PayPal / Credit Card Paymenthttp://www.concrete5.org/marketplace/addons/forms-with-paypal-payme... which has a standard looking C5 form (like I was originally thinking of implementing) but then takes it to PayPal for the actual payment process. I'm thinking I will get this, force SSL for the form entry page and we should be good.
Any immediate dramas you can see?
Cheers,
Brett...
Hi Brett,
Apologies for the delay (been a busy holiday season here in the States). The approach you described sounds good to me (my company uses this approach for simple situations as well, sometimes with the "Advanced Forms" addon, which has the similar "paypal button" feature). The only downside is it limits your ability to customize the UX. Of course, going the other route (building it all yourself) is incredibly time-consuming and so you need to present the tradeoffs to your client and let them decide. It is possible to craft a completely customized payment workflow while still utilizing another service for credit card processing (e.g. Authorize.net here in the States... not sure what you have over there in Australia), but even those services will extract a percentage of every payment. It's an unavoidable cost of doing business online.
Best of luck,
Jordan
Apologies for the delay (been a busy holiday season here in the States). The approach you described sounds good to me (my company uses this approach for simple situations as well, sometimes with the "Advanced Forms" addon, which has the similar "paypal button" feature). The only downside is it limits your ability to customize the UX. Of course, going the other route (building it all yourself) is incredibly time-consuming and so you need to present the tradeoffs to your client and let them decide. It is possible to craft a completely customized payment workflow while still utilizing another service for credit card processing (e.g. Authorize.net here in the States... not sure what you have over there in Australia), but even those services will extract a percentage of every payment. It's an unavoidable cost of doing business online.
Best of luck,
Jordan
Thanks again Jordan. I think I like the Advanced Forms option even more. Because of the amount of information that will need to be entered by the visitor, I will still get the customer to get an SSL certificate.
That being said, you should absolutely not under any circumstances be receiving and storing credit card info on your website, or transmitting it to your client! If you're in the USA, the credit card companies require that you are PCI compliant. If you don't know what that means, then you are definitely not compliant, and will not be able to become compliant without an incredible amount of effort and expense. If you do know what that means, then I'm surprised you're asking these questions in the first place (although it's possible I'm misunderstanding you).
Look into things like Stripe, Authorize.net, PayPal... these are services that handle the credit card processing for you. There are lots more as well, and they each have a different trade-off of "out-of-the-box functionality that is not very customizable" versus "very customizable but requires a lot of work to set up".
Don't do it yourself though... you will be exposing you and your client to an incredible amount of risk and liability.
Best of luck,
Jordan