Credit Card Processing via Web (PHP/MySQL/ODBC)

[Steve T.]

Howdy! My University department handles registration for new student orientation for which we charge a fee to cover accomodations, meals, etc. In the past, we have required paper forms be mailed to us with checks/credit card numbers, but we are going to offer online registration this year.

* We use a medium/complicated FM relational db for program registration.

* We will probably have a security certificate and merchant account just for this program.

* The University has a gateway/bank for us to use.

* The University will probably require us to use PHP/MySQL for the financial transaction.

* I am competent with CDML with some PHP/MySQL experience.

* I know some Unix and am acquainted with Apache, PHP, MySQL, phpMyAdmin, PostFix, Mailman, SquirrelMail, etc. from the command line, but I am NOT familiar with SSL or ODBC.

* An ASP/SQL developer may assist us.

Q: If we use PHP/MySQL to handle the financial side, would I use ODBC to periodically synchronize?

Q: How difficult would it be to use PHP/FM with payment gateways instead?

Q: Can we split registration into 2 parts: user data and financial, and somehow pass info between them?

Q: How dangerous is it to store CCNs?

Q: Is SSL easy to implement, i.e. is it just a matter of adding a few lines of code here and there?

Any suggestions, tips, experiences, answers, or even more questions would be appreciated! References to good sources of info these topics would be helpful, too.

Thanxalot!

--ST

[DykstrL]

Here's a couple of my thoughts on this thread:

First, if at all possible, I would NOT store any user's CC numbers (or any other sensitive data such as SSNs) - it is just inviting way too much liability for you, the developer and your client (employer) - and it would probably invite hackers to your server just to see if they can get that data.

As far as credit card transactions, I recommend contracting with a major financial company or credit card company to handle that part of your transaction for you. I know that Bank of America has a system where your web transaction creates and sends a transaction number and amount to their website. Then the user is directed to a secure page to complete the CC transaction that is made to look like part of your process. When the transaction is finished, they send back the transaction approval data, which I understand can be in one of several formats, even an email.

Just from a liability and 'peace of mind' issue, I would think that this would be a easy sell to the university and worth the extra cost, which could even be added to the price of the online transaction.

We have several web applications running in FMP. Our stance has always been that any data stored on an external web (FileMaker) server is vulnerable, and is thus, disposable, although very little data we collect would be considered sensitive. We do collect addresses, phone numbers and email addresses that we protect in the same way we would something like CC data or SSNs. So any data that needs to be saved/stored/protected is moved to an internal server as soon a possible. Any sensitive data collected on the external server is deleted once it is moved internal. One advantage to this is that (it hasn't happened yet) if the external server is hacked, or dies, it is a fairly easy and quick process to wipe and reinstall the server, copy clones of the FM files, import the datasets from the internal servers and we're back in business.

Your question about SSL: we are just now trying to setup a HTTPS server (IIS) and have found that things have to be exactly right or else the secure server doesn't work or is not secure. My advice is if you don't have an in-house expert and it's in your budget, hire a consultant that knows how.

...just my ramblings...

[Steve T.]

Thanx for the info, D!

I would've though my university would have something in place already that any campus department would be able to use since students have to pay for a lot of things, but everyone here seems to be handling it themselves like a bunch of small businesses. I just wanted to know they've paid the correct amount before registering them for the program. Ah, well...

Recently, I have been informed that our campus Cashier's Office will be starting development on something like this very soon, but it will not be available for an unknown amount of time. It was decided not to wait so we got a developer aboard now who will handle the backend and work with me on integrating it with FileMaker.

Thanxagain!

--ST