I need advice on how to best handle an e-commerce situation

I recently moved to Brazil and started a small subscription based service company. The payment gateway market is under-developed in Brazil, and implementing a local solution is too expensive for me.

My requirements are a payment gateway that will automatically process monthly recurrent billing, and that will allow me to manually charge my customers when needed. They would also have to deal with storage and security.

I'm leaning towards manually processing payments myself as a restaurant would do, for example, using small swipe machines. Unfortunately, this would require me to store credit card information and I would rather not, but I feel it's my only option.

Can anyone give me advice on how to tackle this problem?

• What are my options?
• Is my idea a good idea, or a terrible idea?
• If I decide to store credit card information, what should I keep in mind and how sh开发者_如何学Pythonould I go about it?

There are many payment processors out there - not sure what the options are in Brazil, but here in Europe we can use Paypal (great becuase everyone knows it) or others such as RealEx.

The advice I would give - from my own experience taking payments on a busy betting website - is to go for a solution that means you do not have to store credit card numbers if you can. It's so much easier for everyone. Ideally all processing should happen on the provider's website so that no personal info (such as credit card numbers etc.) is required on your site. This approach means you sometimes do not even need an SSL certificate. It's safe, and the customer likes it because they know the trusted middle man (e.g. Paypal).

If you have to integrate a payment method such as credit card into your side and it means that you are going to be requesting and storing this information on your website then you need to ensure your site is secure and this is a not an easy thing.

• You will need to ensure that you network is secure
• You will need to make sure your code is secure (SQL injection for example)
• You will need to make sure you use SSL for all server to server comms
• You will need to encrypt (AES 256 I'd recommend) your credit card numbers (if you have to store them - remember you could just use them in that session and do not persist them to the database!)

It's is complicated, and it takes time. You can look into PCI compliance down the road (depending on volume you might be forced to by the processor!) but for now if at all possible use a third party website for payments.

Hope that helps!