credit card solution

pli · #1 10-11-2005, 03:08 AM

Thanks for reading this. Hopefully you maybe able to help

The situation:
Client is in accommodation industry. Has an enquiry form on their website.
Enquiry is made, and client gets back to the enquirer to confirm availability and requests confirmation of reservation. Requests CC details to confirm reservation with a link to a secure form. There is no amount involved, the cc details are used in a case of a no show, (these conditions are prominent on their site)

I have set up a private ssl to handle form where clients clients can be comfortable puting in cc information. Now comes the tricky bit.

The challenge:
Rather than the form just sending off an unsecure email with cc details to client, (I know, users would not be aware of this - but my client and I dont work that way) I want the email with cc details to be sent in a secure way from the form to the client.

I prefer not to set up a database to hold cc details for client to pick up via login for two reasons.
1. I dont have tech skills to do, or the budget to pay someone else to do it.
2. Legal repercussions could arise with such a database gets hacked with cc details still in there.

I am sure that some of you switched on resellers deal with this type of thing every day. Can you let me in on your secret how you resolve it?

thanks in anticipation
regards
Peter

JZ · #2 10-11-2005, 05:12 AM

You need to employ some type of encryption to accomplish this. You already secured the connection between the client and the server with SSL encryption, unfortunately, the email will be sent in clear text. I found this tutorial on a quick search (i am sure there are others) that explains using PHP to perform encryption on a form submission. This tutorial is dependent upon HG having PGP installed on the servers. You would have to email support@hostgator.com to find out if it is installed and where it is located for the script to access it.

JZ · #3 10-11-2005, 06:00 AM

I did a little more research and think that PGP may not be easily administered in a shared environment. There are other options though, Mcrypt libraries, for example allow for encryption and decryption of data. This is not part of the standard php distibution, so again, you would have to contact support to see if it is installed. The built in Crypt function would probably not be a viable option because it does not offer a way to decrypt the ciphertext once encrypted.

MachineDog · #4 10-11-2005, 07:15 AM

=o cPanel has it's own module for generating PGP keys and I'm pretty sure it's not so hard to use. I'll try it out later for myself..

JZ · #5 10-11-2005, 07:41 AM

Quote:

Originally Posted by MachineDog

=o cPanel has it's own module for generating PGP keys and I'm pretty sure it's not so hard to use. I'll try it out later for myself..

So it does! Forgot about that. That uses gnuPG which would work as well.

Serra · #6 10-11-2005, 11:36 AM

I wrote a script that uses cPanels gnuPG and Authorize.net to record and email credit card numbers back to me from the site.

Very secure as the CC number is not store any place and the email is 2048 bit encrypted.

I did have problems getting gnuPG to work, each account I set it up on, I had to contact support to get them to fix it so it would run.

I used winPT on my local system for storing and decrypting.

Serra · #7 10-11-2005, 11:44 AM

I also have a script data gathering that uses gnuPG to collect credit card data, but doesn't do payments.

pli · #8 10-11-2005, 01:03 PM

guys/gals -- thank you so much for your responses. They are well appreciated. Serra seems to have the solution I am looking for, and will follow up on that

Thanks so much again

Peter

lschaef · #9 05-08-2006, 03:39 PM

Sorry to bring back an old post

But, we are looking into doing the same basic thing and I'm curious if the original poster got this to work and any advice they might have.

My understanding is that we can create a set of GnuPG keys from the cPanel and then use the public key to send the e-mails out from a PHP script and the end user would need the private key to receive/read the e-mail.

Is it that simple?

Also, would this work without having an SSL set up? I'm looking at testing this before the SSL for the site is purchased/installed.

Thanks!

Serra · #10 05-08-2006, 05:15 PM

Quote:

Originally Posted by lschaef

Sorry to bring back an old post

But, we are looking into doing the same basic thing and I'm curious if the original poster got this to work and any advice they might have.

Yes, he got it to work just fine. Pli even set it up on some other account. It did take some work, his cPanel wouldn't generate gnuPG keys and support needed to fix it.

Quote:

Originally Posted by lschaef

My understanding is that we can create a set of GnuPG keys from the cPanel and then use the public key to send the e-mails out from a PHP script and the end user would need the private key to receive/read the e-mail.

That is correct. The data would be encrypted, so if the email went to the wrong location, no problem.

Quote:

Originally Posted by lschaef

Also, would this work without having an SSL set up? I'm looking at testing this before the SSL for the site is purchased/installed.

No, when the CC info is input, it is sent back to the host via the web, which is unsecure. You need an SSL, but they are cheap and you don't need a high quaility one.

Leeboy · #11 12-31-2006, 09:41 PM

Could anyone send me the script for PGP of GNP formMail? I am trying to do the same thing ...

Thanks in advance
Lee

Serra · #12 12-31-2006, 10:01 PM

http://business-php.com/opensource/g...rypt/test.phps

Leeboy · #13 12-31-2006, 10:50 PM

Thanks .... now I get this error ....

http://pro-webhosting.us/pgp/gpg_encrypt.php

Fatal error: Call to undefined function: gpg_encrypt() in /home/chapel/public_html/pgp/gpg_encrypt.php on line 50

Leeboy · #14 12-31-2006, 10:51 PM

An line 50 code is :

$gpg = gpg_encrypt("${message}", '/usr/bin/gpg' , '/home/.gnupg', '15BB4017');

Leeboy · #15 01-01-2007, 12:00 AM

Changed link to http://pro-webhosting.us/pgp/test3.php

Now getting ..
Warning: main(./gpg_encrypt.php) [function.main]: failed to open stream: No such file or directory in /home/chapel/public_html/pgp/test3.php on line 33

Fatal error: main() [function.require]: Failed opening required './gpg_encrypt.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/chapel/public_html/pgp/test3.php on line 33

Serra · #16 01-01-2007, 09:07 PM

Did you upload the include file?

Leeboy · #17 01-03-2007, 12:04 PM

Which file would that be ?

Sorry new at this .....

Serra · #18 01-03-2007, 01:15 PM

/gpg_encrypt.php

That file needs to be copied into your directory. It should be available where I pointed you...