Credit card best practice

jordelver · March 9, 2007, 12:17pm

Hi,
I need to handle credit cards and would like some advice. I won’t be
storing
any credit card details for future payments but instead requiring the
customer to enter
their payment details each time they make a purchase. However, I’m
worried about
the temporary storage of the details whilst checking out.

My checkout asks for the payment details (credit card etc) and then goes
to the
review page before they click a final button to make the actual payment.
I’m
concerned about storing the credit card information for use on the
review page.
The customer can also go back to any part of the checkout and change
information as
needed, so I need to store this information until they finally click the
“pay”
button.

I am using database session storage with a cron job to clear out the
old sessions
but I’m worried about the credit card info being available until the
session
store is cleared out.

Shall I just ask for the credit card details on the review page? What
would be
safest?

Many thanks,
Jordan

jordelver · March 9, 2007, 3:24pm

The safest thing to do is just ask for the details on the review page
so that you never have to store them. Alternatively, you could use
TrustCommerce as a CC processor, since they have a feature (Citadel)
where they will store the CC info for you. It’s particularly handy
for recurring billing.

Remember, too, to use filter_parameter_logging to keep the sensitive
info from showing up in your logs.

–
Building an e-commerce site with Rails?
http://agilewebdevelopment.com/rails-ecommerce

Meet up at RailsConf:
http://railsconf2007.conferencemeetup.com/

jordelver · March 11, 2007, 8:13pm

The safest thing to do is just ask for the details on the review page so
that you never have to store them. Alternatively, you could use
TrustCommerce as a CC processor, since they have a feature (Citadel) where
they will store the CC info for you. It’s particularly handy for recurring
billing.

Yes, I’m going to do that. It’s just not worth the hassles otherwise.

Remember, too, to use filter_parameter_logging to keep the sensitive info
from showing up in your logs.

Thanks for the name, I was planning on using this but couldn’t
remember the name

Cheers,
Jordan