Safely getting card number for payment gateway

I have a payment gateway api for BluePay. My application is in PHP. I am able to process a transaction with code similar to this:

bp->process(1111111111111111,.....) with 111111111111111 being the card number.

the process function posts t开发者_Python百科he card number to bluepay's site using PHP's CURL wrappers.

How can I safely get a card number from the user?

where I substitute 111111111111111 with a variable that is filled in from the user.

You'll need to ensure that both receiving the card number (from the user) and sending the card number (to your gateway) is done over an SSL connection. I assume your gateway wouldn't allow it any other way, so that side of the transaction is * probably* already safe.

It's also important not to store the CC data anywhere, simply pass it onto the gateway.

So you need to purchase an SSL certificate for your web server, and make sure all sensitive information sent is encrypted (https://). You can generate the SSL certificate yourself, but that won't give your users a warm fuzzy secure feeling. It also wouldn't verify that your site is who it claims to be.

Give them a form over an encrypted connection?

You can get a cheap single domain SSL signed certificate at namecheap

In addition to this I would also recommend hashing the number before sending it. SSL is not perfect: Defeating SSL

Don't forget, if you are hosting a page which gathers credit card information, this system then becomes 'in-scope' as far as the PCI-DSS (Payment Card Industry Data Security Standard) is concerned, which comes with a whole world of grief if you have to comply to it!

You may be better off using a 'hosted' solution for your payments. i.e. the user is redirected to a page hosted on, say, Worldpay.com, to actually enter their card details, and then redirected back to your site afterwards.