possible issues with submitting data from my site to payment gateway

I'm planning to use eWay (http://eway.com.au) as payment gateway for my store, however they do not allow much customisation on their hosted page. I want to avoid touching credit card numbers at any point and so their hosted page would do for me. So I was thinking of creating my own form on my website that would be submitting data to eWay backend, exactly same as their form on their hosted page does. Once submitted data processed it would redirect to my site. To give users piece of mind form on my site would probably be on SSL although that wouldn't make any more secure as far as I know. Please let me know if that would that be possible or I开发者_高级运维 am missing something important here.

UPDATE: just realised that my form can be hacked too, seems pretty obvious yet missed it somehow

PayWay is an alternative that has this as a documented mode of integration. You can host a page for entry of the credit card details (under SSL) which does a POST directly to PayWay. While your site generates the credit card entry page, it instructs the browser to post directly to PayWay so the card numbers never touch your server.

A user could tamper with data submitted in the form and for this reason details such as the payment amount, products purchased are all passed directly from your server to PayWay prior to this (called a "token request"). The result of the token request is a random string of characters which you include as a hidden field in your form.

After the payment has been processed, PayWay will redirect back to your website to allow you to display a receipt page. The parameters passed to you in this redirect are encrypted to ensure they came from PayWay.

This allows you to fully control the branding while maintaining security.

(Disclosure: I work on the PayWay team).

Two things immediately came to mind: (1) you're no longer avoiding "touching credit card numers" if those are submitted on your own form, and (2) unless their form is guaranteed/supported like an API, as soon as they decide to change to a new form your own submittals that depend on their old form will probably break, and you'll be down while you play catch-up.