Hi, just two quick things I'm looking for help with. :)

1) I would like to set up a secure ordering form for a client who has a merchant account and just needs to have CC numbers, etc. emailed to them. I know how to lay out a form, but I don't know how to use SSL for this stuff. Can someone point me to a Powweb tutorial or similar information?

2) I would like to offer some sort of credit card number validation in-line. Are there any good scripts for this?

Thanks!

SSL is just a way of accessing a normal web page where the exchange between the browser and the server is encrypted. On PowWeb, if your page would normally be http://example.com/form.html, you can make it SSL by using https://examplecom.secure.powweb.com/form.html instead.

Note that SSL does not protect the data once it gets to the server - the rest is up to you. It would be very bad to e-mail the credit card number unencrypted. Unfortunately, encrypting on the server and sending by e-mail to be decrypted by the client is tricky to do.

One solution, used by osCommerce, is to store part of the CC number in the database (which is password-protected) and send the other part by e-mail. The whole number is not in any one place and that minimizes the security risk.

Or you can use any of the online payment gateways which handle the transaction for you in a secure fashion (for a fee.)

The only validation you can do is the standard checksum that can help identify typos, but it does not actually check that the card is valid.

Thanks for the help. Steve. I have a friend who has experience in this area and he's going to help me out. It looks like we are going to:

1. Connect to the form via SSL (thanks for the info)
2. Form data is stored in a database
3. Client logs in to a php frontend that generates PDFs containing form data
4. Client then charges credit card and emails gift certificate to customer.

Looks good. But I would be careful about storing all the CC info in the database. PowWeb's databases are password protected but that's not what I would consider adequate for this kind of information. I would also recommend removing the CC info from the database after the charge is processed, to reduce the exposure should the database be compromised.

Interesting, thanks for the tips. This has really been a learning experience for me.

I would be interested in seeing a demo of your final product to see what you have come up with. Care to follow up with us once you've got this running?