Re: [Hampshire] Handling credit card details securely

On 11/6/07, Roger Munford <rogermunford@???> wrote:
>
> I would like to put the following scenario past you for comment because
> I do not want to inadvertently create risks.
>
> I have been doing some work for a company who deliver fresh food on a
> weekly basis. They use a payment gateway for credit card payments from
> a desktop system strictly non web. To avoid holding the credit card
> details on the desktop the credit card details are taken by phone and
> are sent immediately to the payment gateway via a small application that
> they supply. In return we get back a token that we can use whenever a
> payment is required. Below the surface the application is a SOAP client
> talking to a SOAP server.
>
> The company would like to take credit card details along with name and
> address etc from their hosted website when a new customer registers. The
> hosted website uses the LAMP stack the P being PHP.
>
> I have written some PHP code to receive the customer details. The credit
> card details are sent off to the payment gateway via SOAP and a token
> returned. The token and the rest of the customer details are stored in a
> MySQL table until they are downloaded into the desktop during office
> hours.


It all looks pretty standard to me. The only thing you didn't mention is the
security on the wire between your PHP code and the SOAP server. How secure
is it? Is the SOAP server on a third party or hosted within the same
organisation?

Cheers,
--
Alex Collins