faqts : Computers : Programming : Languages : PHP : Common Problems : Ecommerce

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

11 of 14 people (79%) answered Yes
Recently 5 of 8 people (63%) answered Yes

Entry

What pages need to be secure when accepting credit cards?
What sequence of pages should I use for credit card transactions?

Feb 28th, 2000 11:48
Loren Siebert, Nathan Wallace, Brian Clark
 


>>>>>>>>>>
As a general rule, you make the SSL connection before any sensitive info
is even typed into the browser, otherwise you defeat the purpose of SSL.
<<<<<<<<<<

I don't think this is true. SSL is a transparent protocol implemented 
underneath HTTP, so the SSL session is established before any HTTP 
application data (like POST or GET pairs) are sent at all. 

At Amazon.com, for instance, when you get to the page where it's time 
to enter your password information, note that the form is served up 
unencrypted and the text at the bottom of the form reads: "If you 
select the secure server, the information you enter will be encrypted." 
The form action, of course, is via HTTPS. There are no funky Javascript 
calls either to pre-encrypt the form data.

-Loren