I have a payment gateway api for BluePay. My application is in PHP. I am able to process a transaction with code similar to this:
bp->process(1111111111111111,.....) with 111111111111111 being the card number.
the process function posts the card number to bluepay s site using PHP s CURL wrappers.
How can I safely get a card number from the user?
where I substitute 111111111111111 with a variable that is filled in from the user.
You ll need to ensure that both receiving the card number (from the user) and sending the card number (to your gateway) is done over an SSL connection. I assume your gateway wouldn t allow it any other way, so that side of the transaction is * probably* already safe.
It s also important not to store the CC data anywhere, simply pass it onto the gateway.
So you need to purchase an SSL certificate for your web server, and make sure all sensitive information sent is encrypted (https://). You can generate the SSL certificate yourself, but that won t give your users a warm fuzzy secure feeling. It also wouldn t verify that your site is who it claims to be.
Give them a form over an encrypted connection?
You can get a cheap single domain SSL signed certificate at namecheap
In addition to this I would also recommend hashing the number before sending it. SSL is not perfect: Defeating SSL
Don t forget, if you are hosting a page which gathers credit card information, this system then becomes in-scope as far as the PCI-DSS (Payment Card Industry Data Security Standard) is concerned, which comes with a whole world of grief if you have to comply to it!
You may be better off using a hosted solution for your payments. i.e. the user is redirected to a page hosted on, say, Worldpay.com, to actually enter their card details, and then redirected back to your site afterwards.
For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...
I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...
Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...
I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...
I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...
Three SHA512Managed related questions: Is SHA512Managed considered the best one-way hash available in .NET 3.5 for security? What Salt size should be used with SHA512Managed? The application is for ...
[Update] - I attach also full config files, for service, and for client (outside of here, not to flood the topic) I m having situation pretty much identical to the one outlined in this question, ...
