[Jambo]

I have recently agreed to perform research into the feasibility of a very large website project for a client. To cut to the chase in order for it do what the client requires i believe it will need to store customer payment details on the website, such as card details or bank account numbers. Firstly i was very skeptical and now after reading up a lot of information i have come to the conclusion this should not be done. Despite this, if the site was to be hosted on a dedicated server with an SSL certificate and a database that stored this information with encryption, would it be possible and worth creating it from a security and legal point of view? I'm still very skeptical.

Now this next bit may sound a bit weird but i'm afraid the clients idea is to remain secret. Just bear with it. Now the reason i believe storing the payment information on our own server is the only way to achieve what they want is that; this information, only at the clients request, will be entered on different websites and a monthly direct debit will be set up from the clients account to the other sites. The amount, what company etc will all be at the clients discretion we will just streamline the signup process.

Is there a third party system that already exists that could take the clients payment details, store them securely, then allow access to them in order for us to sign them up to other sites?

Is this legal? Should this be done?

I'm very skeptical about this and sure lot's of people will have some strong opinions, so please share.

[BlueDreamer]

Many payment gateways offer this sort of service, the big advatage is that customers card details are not stored on your server, making things much more sercure.

[Spitfire]

You're right to be sceptical. These days you'll need to confirm to PCI DSS standards so even having SSL and encryption isn't enough:
http://en.wikipedia....rd#Requirements

If you want my opinion, it's a lot more hassle than it's worth. Get a 3rd party (that's PCI DSS verified) to do it.

[Jambo]

Thanks for the feedback, could you recommend a 3rd party service that actually does this? I have looked around but have not found anything.

[BlueDreamer]

Here's a few...

Worldpay - http://www.worldpay....=recurring&c=UK
Sagepay - http://www.sagepay.com/token-system
Secure Trading
- http://www.securetra...kenisation.html
- http://www.securetra...g-payments.html

This post has been edited by BlueDreamer: 20 May 2011 - 01:25 PM

[Jambo]

BlueDreamer, on 20 May 2011 - 01:24 PM, said:

Here's a few...

Worldpay - http://www.worldpay....=recurring&c=UK
Sagepay - http://www.sagepay.com/token-system
Secure Trading
- http://www.securetra...kenisation.html
- http://www.securetra...g-payments.html

Thanks for the links, i'll have a read, hopefully find a solution.

[Jambo]

One question, if we were to only store bank account details, not card details, Would this regulation not apply? Are there any other laws of regulations that would?

http://en.wikipedia....rd#Requirements

Obviously i understand from a technical standpoint the risks would be the same.

[Dx3webs]

Hi there,

I would have thought that if you wish to store any kind of banking related information you would be wise to treat yourself as requiring type 4 compliance. Even if you are using a 3rd party gateway you will need type 1 compliance.

the best explanation on this I have seen so far is here

http://www.crucialwe...pliant-hosting/

[ZetaPrints]

Jambo, on 21 May 2011 - 03:21 PM, said:

Thanks for the links, i'll have a read, hopefully find a solution.

Here are other payment processors you may want to check out. I do not know for sure if each one still works and if they serve your exact need.

2CheckOut
authorizenet
BTClick&Buy
CCAvenue
CCBill
CCNow
ClickBank
Gate2Shop
Google Checkout
iBill
iKobo
InstaBill
Jettis
Kagi
Moneybookers
MultiCards
NoChex
PartyKey
PayDirect
Pay-Line
Paymate
Paypoint
ProPay
Reg.Net
RegNow
RegSoft
Share*It
Skypay
SWREG
Verotel