Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Accepting Credit Cards

by Anonymous Monk
on Nov 01, 2004 at 11:19 UTC ( #404272=perlquestion: print w/replies, xml ) Need Help??

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi
Can anyone give me any advice on accepting credit cards on a website? I need to have a registration form for users to sign up, then a form for entering credit card details which will then automatically debit their card and return accepted or declined depending if the transaction was successful.

The whole process needs to be automatic.

I have done a bit of research, i've had a look at Business::OnlinePayment and authorize.net, but are they are other good and cost effective ways of doing this? The site is also UK based if that makes a difference.

Thanks,
Tom

Replies are listed 'Best First'.
Re: Accepting Credit Cards
by tachyon (Chancellor) on Nov 01, 2004 at 11:32 UTC

    To accept credit cards you need a merchant account with a willing bank. These are not that easy to get in the UK. If you don't have a merchant account you need to use a 3rd party to handle the transactions for you. There are lots of options but in essence they will do almost everything for their cut.

    The bad news is that:

    1. even if you have a merchant account it may be against your banks TOS to use it online/card holder not present
    2. even if they do provide the facility expect to:
      • pay an exhorbitant commission rate and
      • accept a 60-90-120 day delay before you get the funds cleared.
    This is because of online fraud and the high level of chargebacks with card holder not present online transactions. UK banks are also ~5-10 years behind the rest of the world.

    cheers

    tachyon

Re: Accepting Credit Cards
by bradcathey (Prior) on Nov 01, 2004 at 12:35 UTC

    tachyon makes some great practical points. Personally, I've created many e-commerce sites and not experienced the problems mentioned. However, I have found that the authorization gateway (the entity that intercedes between your site and the merchant acct. to actually validate the card) can have various protocols, some of which can be tricky.

    My favorite gateway provider allows a very easy to implement LWP:: UserAgent and HTTP::Request::Common interaction. You and your customer needs to decide what degree of validation is needed and just plug in the correct gateway codes.

    Of course, you will need to purchase a secure certificate and have it installed on your server. Also, you will need to create and encrypt a key on the server, which you should store in a non-public area of your site. Here's a sample of a simple transaction in Perl:

    use HTTP::Request::Common; use LWP::UserAgent; my $ua = LWP::UserAgent->new; my $req = POST 'https://secure.authorize.net/gateway/transact.dll', [ x_version => '3.1', x_delim_data => 'True', x_relay_response => 'False', x_login => 'somepassword', x_tran_key => $decrypted, x_amount => $totalamt, x_card_num => $ccnumber, x_exp_date => $month.$year, x_type => 'AUTH_CAPTURE', ]; my $reply; my $response = $ua->request($req); if ($response->is_success) { $reply = $response->content; } else { print STDERR $response->status_line, "\n"; } #parse $reply for authorized/decline codes and echo messages back to p +urchaser... my @replies = split(/,/, $reply); my $reason = $replies[3]; SWITCH: for ($replies[0]) { /2/ && do { &declined; last; }; /3/ && do { &error; last; }; $replies[0] = 0; }

    Good luck!


    —Brad
    "Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton

        just a little nit here: B:OP:AuthorizeNet is not maintained by Authorize.Net, but by an unaffiliated volunteer.

        for the record, the only vendor that maintains their own Business::OnlinePayment module is Trust Commerce.

        more info at Business::OnlinePayment homepage

        "But what fun is that?"

        Wow! There is a CPAN module for everything (except one that will clean my garage...oops, I just found Garage::Clean).

        I'd love to read more about it, but I have to admit, I like to program the stuff myself. Though, I'm sure it does a superior job. Thanks!


        —Brad
        "Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton
Re: Accepting Credit Cards
by Yendor (Pilgrim) on Nov 01, 2004 at 13:24 UTC

    In addition to all of the advice given above, let me implore you to look into local security if you plan on storing your users' credit card numbers locally, such as in a database.

    There have been multiple other discussions here covering this topic.

    It's not enough to just store them unencrypted -- as a matter of fact, down that road lies doom for you and/or your company.

    Of course, you don't necessarily mention the need to store them on your system. If that's the case, then so much the better...But also make sure that they don't show up in any kind of server logs, etc.

Re: Accepting Credit Cards
by pingo (Hermit) on Nov 01, 2004 at 12:21 UTC
    Apart from the sound advice above, a useful module is Business::CreditCard. It is very nice being able to check the format of the credit card number before doing any further checks.
Re: Accepting Credit Cards
by zentara (Archbishop) on Nov 01, 2004 at 13:30 UTC
    bradcathey's method of using LWP::UserAgent is the direct way to do this, but I want to caution you to think about the whole process, to avoid getting sued for "lack of security" in handling the credit card data.

    First, make sure it is all done over https, not http.

    Second, most of the cc-verifying services, will have a test URL, on which you can test your software. One you get your merchant-number, you will be able to send phony transactions, and get the results. You can even write your own "pseudo-verifier-script", for testing your lwp scripts locally. You will need to run through alot of simulations, to test all possible cases, so it's best to see how your bank returns results, then make a local cgi-script to imitate it. Then do your testing locally. Basically take bradcathay's lwp script, receive the data it sends, process it, and return a "yes or no" and possibly a "reason for denial". Then work on a strategy to keep your clients from submitting twice, and "in-session" while the verification occurs, then report the results. Most banks will let you specify which script to send the results to, so your data-collection cgi does not have to receive the verification results, it can read it off a database of some sort, which is written to by a separate "receive-verification-cgi".

    Also you want to be careful about storing the cc numbers on disk. If you are on a remote server, any of the technicians or sysadmins can read them.

    Anyways, if you want to do it yourself, those are roughly the considerations.


    I'm not really a human, but I play one on earth. flash japh
      There's no need to write your own test set-up if you use Authorize.Net. They have their own test server which they explain in their documentation (which you need to log in to get).
      --
      brian d foy <bdfoy@cpan.org>
Re: Accepting Credit Cards
by dba (Monk) on Nov 01, 2004 at 15:55 UTC
    Use webhosting services like Yahoo where they have everything to setup. This will be useful if you are a small business.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://404272]
Approved by Arunbear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (9)
As of 2021-01-26 13:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?