2

I'm setting up a site to accept credit cards for the first time.

I'm using Drupal to manage products and store content, but that isn't important. I'd like to help build a community-generated list of platform-agnostic credit-card acceptance requirements.

I'm looking for a checklist of the things I need to have in place in order to accept credit cards safely and responsibly.

I've done a fair amount of research.

The question below is good, but it is focused on getting a merchant account and storing credit cards on site. I think most web developers and small to mid sized organizations shouldn't need to do this: Payment Processors - What do I need to know if I want to accept credit cards on my website?

Here's what I think I need:

  1. Fixed IP address and SSL certificate (purchased through web host, pretty easy to do)
  2. Enable HTTPS on all cart and checkout pages (Drupal feature)
  3. Set up a relationship with a payment processor (Stripe, Authorize.net, Paypal Pro)
  4. Develop site to match payment processor API (for me, this means a Drupal module)
  5. Do test transactions
  6. Flip to live
  7. Do more test transactions

Is this really all there is to accepting credit cards? Am I missing anything?

Community
  • 1
  • 1
SimplGy
  • 20,079
  • 15
  • 107
  • 144

2 Answers2

1

At a minimum I would add some sort of real-time monitoring of key activities in your service. Failed password attempts, bogus URLs and URL parameters, transaction quantity/dollar amount, etc. These kinds of metrics can help you catch malicious behavior before it becomes a problem.

You also need to consider things like account security, how you store passwords (salted and hashed using BCrypt or something similar) and other personally identifiable information.

I would seriously reconsider storing credit card information at all. Even if you’re willing to comply with PCI-DSS (http://en.wikipedia.org/wiki/PCI_DSS) requirements it’s just much easier to use the checkout services provided by the processors.

The technical requirements are not terribly difficult. Staying out of the limelight due to a breach is much more difficult. I ran a company that processed thousands of transactions per day...it is possible but it requires a fair amount of continued attention to stay on top of the risk factors.

If you choose to proceed, I would invest in a couple of quality ethical hacks before you go live to make sure you didn't miss anything.

Good luck.

Baldy
  • 2,002
  • 14
  • 14
1

Essentially, what you state covers it. That said, Baldy's advice to beef up your security is on point -- you're doing transactions and that has privacy and security implications, so get things bolted down. As for holding the credit card data, odds are you will be working with a payment gateway who will round trip the user to their server and back to your site -- none of the credit card details will actually be kept on your site -- so don't do an end run on this protection by adding your own form (or modifying your user pages) that collects sensitive data.

Ric Shreves
  • 11
  • 2