Taking credit card info online recommendations

Question

I have an online store in which customers can purchase a code which enables them to have use of a bot service I run.

Part of the bot needs customers sensitive information to be entered, address, and card information. This is secure on my end with encrypted files, the latter.

Was wondering how I can get the customers to send me their info securely online, my online store does not support this option and I have a subscription with them now before I realised this. So basically they download a file from my store, containing a redemption code and a link to a website, I was thinking google forms but im not sure if this is secure?

Any similar services you can recommend, where customers can send me this info via an online form?

... All google form contains the phrase "Never send passwords or sensitive information via google forms"... so 1) probably a bad idea 2) Some clients may start thinking you are either a scam or an idiot. I don't understand, why don't you use HTTPS and a form like all other sites? — Bakuriu, Feb 20 '17 at 19:37
Your online store doesn't support taking payments? Then it's just a website, not a store? — Ryan Kelso, Feb 20 '17 at 19:41
Why not trust payment functionality to established payment companies like PayPal? Or your bank might have something for small businesses... This way you handle the shopping cart, possibly not requiring HTTPS (although, HTTPS would be strongly advised). Then you redirect your customers to PayPal (or other) site for payment (read docs on this). — nurchi, Feb 20 '17 at 19:43
It does take payments, a payment for my service(via paypal). It does not support adding a form to checkout, and I have already paid for the online store so cannot change. I need the customers CC info for use of my bot (purchasing limited fashion items online) and was wondering on the best way to do this. Maybe a private page on my site accesable by password, with a form on this site where the customer quotes the code they purchased? My site has HTTPS, would this be more acceptable? — joelittlejohns4, Feb 20 '17 at 19:44

score 2 · Answer 1 · answered Feb 20 '17 at 19:48

2

We have e-commerce sites, all interfaced with paypal.com. When the customer types in his CC info, he's actually on paypal.com and not our domain, through a Paypal API.

They have many options. One is at https://developer.paypal.com/docs/integration/web/. Check it out and give them a call. We are a longtime and happy Paypal customer.

answered Feb 20 '17 at 19:48

Mike Waters

131
8

Thanks for the answer mike, I think it was the wording of my question but this isn't really what I was looking for. – joelittlejohns4 Feb 20 '17 at 19:52
3

What *are* you looking for? – Xiong Chiamiov Feb 20 '17 at 23:12

score 0 · Answer 2 · answered Feb 21 '17 at 00:52

Trying to reinvent the wheel has never been a good path to take.

There are plenty of third-party options to handle credit card transactions, such as Stripe and PayPal. I would strongly recommend using these services.

Why? Here are a few reasons to consider:

They deal with all the red tape, courts, and other PCI compliance areas
They have the insurance to deal with loss/theft of data
Public embarrassment is shunted to them, as they are the ones handling payments
There is very little cost associated to you
They can specialize in large volumes, so this again results in lower costs
Scaling their solution is much easier than scaling your own
There is no reason not to trust their products, security has been tested for years
UI (User Interfaces) are extensively tested, which customers appreciate
Customers like Paypal because they aren't sending credit card details into "the unknown"
Proven solutions, you know they work, but is your solution in the same boat?

score 0 · Answer 3 · answered Feb 21 '17 at 01:12

I am not sure you need their CC info. You need their payment. You could instruct them to go to www.paypal.com (you can even give them a link) and tell them to send a payment to your email address. PayPal has a "add a note" feature which will allow them to state why they are sending you money.

score 0 · Answer 4 · answered Feb 21 '17 at 05:33

In your comment, you say:

I need the customers CC info for use of my bot (purchasing limited fashion items online) and was wondering on the best way to do this.

This is what's generally known as a Bad Idea. You are basically saying to your customers "Hand me your credit card so that I can buy things on your behalf at some point in the future". They have no way to know you won't buy yourself nice things at their expense. You have no way to know whether the card you're using has expired, been cancelled, been reported stolen, or is even actually the customer's card and not a fraudulent one until you try to use it - at which point you could be the one on the hook for making fraudulent payments. Or you'll get angry customers because your unexpected charge put them over their credit limit, or prevented them from putting something else big on it. And so on. By using someone else's card to make purchases, even on their behalf, you're opening yourself up for a whole host of problems. That's not even touching the PCI requirements around storing credit cards, which is a whole separate can of worms.

The correct way to do something like this, if there is such a thing, is to collect the customer's payment information as "card on file" through a secure website, such as PayPal or one of their competitors. This will give you some form of identifier or token which you can use to tell PayPal to charge that card in the future. You then make purchases using your money, and then bill the customer for that amount by using that token. Or, if your bot is smart enough, you bill the customer and then make the purchase if the charge on their card goes through.

That's really the only safe way to go about this.

Taking credit card info online recommendations

4 Answers4