To accept credit cards you need a merchant account with a willing bank. These are not that easy to get in the UK. If you don't have a merchant account you need to use a 3rd party to handle the transactions for you. There are lots of options but in essence they will do almost everything for their cut.

The bad news is that:

1. even if you have a merchant account it may be against your banks TOS to use it online/card holder not present
2. even if they do provide the facility expect to:
   • pay an exhorbitant commission rate and
   • accept a 60-90-120 day delay before you get the funds cleared.

tachyon makes some great practical points. Personally, I've created many e-commerce sites and not experienced the problems mentioned. However, I have found that the authorization gateway (the entity that intercedes between your site and the merchant acct. to actually validate the card) can have various protocols, some of which can be tricky.

My favorite gateway provider allows a very easy to implement LWP:: UserAgent and HTTP::Request::Common interaction. You and your customer needs to decide what degree of validation is needed and just plug in the correct gateway codes.

Of course, you will need to purchase a secure certificate and have it installed on your server. Also, you will need to create and encrypt a key on the server, which you should store in a non-public area of your site. Here's a sample of a simple transaction in Perl:

use HTTP::Request::Common;
use LWP::UserAgent;

my $ua = LWP::UserAgent->new;
my $req = POST 'https://secure.authorize.net/gateway/transact.dll',
   [    
   x_version        => '3.1',
   x_delim_data     => 'True',
   x_relay_response => 'False',
   x_login          => 'somepassword',
   x_tran_key       => $decrypted,
   x_amount         => $totalamt,
   x_card_num       => $ccnumber,
   x_exp_date       => $month.$year,
   x_type           => 'AUTH_CAPTURE',
   ];

my $reply;
my $response = $ua->request($req);
if ($response->is_success) {
   $reply = $response->content;
   } else {    
   print STDERR $response->status_line, "\n";
   } 

#parse $reply for authorized/decline codes and echo messages back to p
+urchaser...

my @replies = split(/,/, $reply);
my $reason = $replies[3];
SWITCH: for ($replies[0]) {
   /2/ && do { &declined; last; };
   /3/ && do { &error; last; };
   $replies[0] = 0;
 }
[download]

Good luck!

Business::OnlinePayment::AuthorizeNet will do that for you. It's maintained by Authorize.Net and available on CPAN.
--
brian d foy <bdfoy@cpan.org>

just a little nit here: B:OP:AuthorizeNet is not maintained by Authorize.Net, but by an unaffiliated volunteer.

for the record, the only vendor that maintains their own Business::OnlinePayment module is Trust Commerce.

more info at Business::OnlinePayment homepage

"But what fun is that?"

Wow! There is a CPAN module for everything (except one that will clean my garage...oops, I just found Garage::Clean).

I'd love to read more about it, but I have to admit, I like to program the stuff myself. Though, I'm sure it does a superior job. Thanks!


—Brad
"Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton

In addition to all of the advice given above, let me implore you to look into local security if you plan on storing your users' credit card numbers locally, such as in a database.

There have been multiple other discussions here covering this topic.

It's not enough to just store them unencrypted -- as a matter of fact, down that road lies doom for you and/or your company.

Of course, you don't necessarily mention the need to store them on your system. If that's the case, then so much the better...But also make sure that they don't show up in any kind of server logs, etc.

First, make sure it is all done over https, not http.

Second, most of the cc-verifying services, will have a test URL, on which you can test your software. One you get your merchant-number, you will be able to send phony transactions, and get the results. You can even write your own "pseudo-verifier-script", for testing your lwp scripts locally. You will need to run through alot of simulations, to test all possible cases, so it's best to see how your bank returns results, then make a local cgi-script to imitate it. Then do your testing locally. Basically take bradcathay's lwp script, receive the data it sends, process it, and return a "yes or no" and possibly a "reason for denial". Then work on a strategy to keep your clients from submitting twice, and "in-session" while the verification occurs, then report the results. Most banks will let you specify which script to send the results to, so your data-collection cgi does not have to receive the verification results, it can read it off a database of some sort, which is written to by a separate "receive-verification-cgi".

Also you want to be careful about storing the cc numbers on disk. If you are on a remote server, any of the technicians or sysadmins can read them.

Anyways, if you want to do it yourself, those are roughly the considerations.

There's no need to write your own test set-up if you use Authorize.Net. They have their own test server which they explain in their documentation (which you need to log in to get).
--
brian d foy <bdfoy@cpan.org>