How to properly charge credit cards?

benjohnson · August 16, 2008, 5:56pm

I’m building an app that needs to charge credit cards. I read the
tutorial in the advanced rails recipes book. They have you set up a
separate application called “card_server” that handles storing and
charging credit cards. I already have it set up and it seems like kind
of a burden. Is it really necessary to set it up as a separate
application? What is wrong with integrating all of that right into my
own application? I guess I’m confused as to why they guided me to set up
a completely separate application for that. Any help on this would be
greatly appreciated. Thanks!

benjohnson · August 16, 2008, 6:40pm

On 16 Aug 2008, at 16:56, Ben J. wrote:

greatly appreciated. Thanks!
You need to be careful with credit card data (and there are often
fairly strict requirements about how it’s kept and so on).
It’s far easier to isolate the part that deals with the sensitive data
and lock that down than to do the same thing to your whole app.

You want the part handling cards to have the smallest vulnerability
profile possible and a good way to do that is to separate it
completely from your application. While a mistake that made your app
leak data or allowed unauthorised access would be bad, it would be
even worse if you leaked credit card data.

Fred

benjohnson · August 16, 2008, 6:45pm

I’m guessing you can’t use PayPal for this? Yeah, there are certain
rules and a lot of red tape you need to go through. I don’t know the
details though.

On Sat, Aug 16, 2008 at 11:56 PM, Ben J.
[email protected] wrote:

–
Posted via http://www.ruby-forum.com/.

–
Ramon T.

benjohnson · August 16, 2008, 9:31pm

Thanks for everyone’s help. This software is unique in that I have to
accommodate return business, because most of our business will be return
business. I don’t want to make the customer enter their CC info every
time they checkout. Amazon, target, etc store credit cards.

Our company has a cabinet in a data center with 5 servers, so I have the
infrastructure. I was just trying to figure out why all of it needed to
be separated out into another app. To me, if someone compromises our
server they can figure out a way to get the CC info. Separating it out
is just another hurdle to jump, but doesn’t really stop them. I feel
like I am just setting up a lot of hurdles but nothing is really fool
proof.

benjohnson · August 16, 2008, 7:09pm

On Sat, Aug 16, 2008 at 8:56 AM, Ben J.
[email protected] wrote:

I’m building an app that needs to charge credit cards. I read the
tutorial in the advanced rails recipes book. They have you set up a
separate application called “card_server” that handles storing and
charging credit cards.

Unless you have a lot of experience in this area, and resources/$$
to spend on infrastructure, I wouldn’t recommend “storing” credit card
info, period.

To just process credit cards you need a merchant account plus an
account with an authorization gateway (e.g. Authorize.Net). That’s
not too hard to set up. The Authorize.Net API is well documented, at
least; can’t speak to other providers.

HTH,

Hassan S. ------------------------ [email protected]

benjohnson · August 16, 2008, 10:08pm

On Sat, Aug 16, 2008 at 12:31 PM, Ben J.
[email protected] wrote:

Thanks for everyone’s help. This software is unique in that I have to
accommodate return business, because most of our business will be return
business.

Uh, hardly unique. And you don’t necessarily have to store card data
to handle return business. One example:

http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/

Amazon, target, etc store credit cards.

And if so they’ve spent lots of bucks, to make sure their systems are as
secure as possible (and meet the card-issuing companies’ very stringent
requirements – which you’d better be aware of before heading down this
road!).

Our company has a cabinet in a data center with 5 servers, so I have the
infrastructure.

I was talking about full-time security people, multiple firewalls, etc.;
“5 servers in a data center” ain’t it.

Good luck, though. Hope not to see you in the headlines

–
Hassan S. ------------------------ [email protected]

benjohnson · August 16, 2008, 10:28pm

Use Authorize.net CIM to store the card info and get back a token you
can
use for future billing. Use the ActiveMerchant library to talk to the
gateway. You don’t need a separate app.

–
Benjamin C.
http://railskits.com/ - Ready-made Rails code
http://catchthebest.com/ - Team-powered recruiting
http://www.bencurtis.com/ - Personal blog

On Sat, Aug 16, 2008 at 12:31 PM, Ben J. <

benjohnson · August 17, 2008, 4:25am

Ditto everything Hassan says, particularly the “5 servers” and
“headlines” part.

You may also want to take a look at Active Merchant -
http://www.activemerchant.org/

a Rails plug-in (also gem) for dealing with credit cards and payment
processors and shipping. There’s even a Peepcode tutorial -
http://peepcode.com/products/activemerchant-pdf

– Bosco

On Aug 16, 1:07 pm, “Hassan S.” [email protected]

benjohnson · August 19, 2008, 8:35pm

Ben,

Go with Hassan’s and Benjamin’s suggestions. I work at the credit card
industry and liabilities are just too high to risk…

Cheers, Sazima

On Aug 17, 11:47 am, Bharat R. [email protected]

benjohnson · August 17, 2008, 4:47pm

Ben,
You may want to look at the ActiveMerchant PDF published by PeepCode. I
found it to be the best and most detailed discussion of credit card
payment handling.
http://www.peepcode.com
Hope this helps.
Bharat