Ruby Forum Ruby on Rails > How to properly charge credit cards?

I'm building an app that needs to charge credit cards. I read the
tutorial in the advanced rails recipes book. They have you set up a
separate application called "card_server" that handles storing and
charging credit cards. I already have it set up and it seems like kind
of a burden. Is it really necessary to set it up as a separate
application? What is wrong with integrating all of that right into my
own application? I guess I'm confused as to why they guided me to set up
a completely separate application for that. Any help on this would be
greatly appreciated. Thanks!

On 16 Aug 2008, at 16:56, Ben Johnson wrote:

> greatly appreciated. Thanks!
You need to be careful with credit card data (and there are often
fairly strict requirements about how it's kept and so on).
It's far easier to isolate the part that deals with the sensitive data
and lock that down than to do the same thing to your whole app.

You want the part handling cards to have the smallest vulnerability
profile possible and a good way to do that is to separate it
completely from your application. While a mistake that made your app
leak data or allowed unauthorised access would be bad, it would be
even worse if you leaked credit card data.

Fred

I'm guessing you can't use PayPal for this?  Yeah, there are certain
rules and a lot of red tape you need to go through.  I don't know the
details though.

On Sat, Aug 16, 2008 at 11:56 PM, Ben Johnson
<rails-mailing-list@andreas-s.net> wrote:
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>



--
Ramon Tayag

On Sat, Aug 16, 2008 at 8:56 AM, Ben Johnson
<rails-mailing-list@andreas-s.net> wrote:
>
> I'm building an app that needs to charge credit cards. I read the
> tutorial in the advanced rails recipes book. They have you set up a
> separate application called "card_server" that handles storing and
> charging credit cards.

Unless you have a lot of experience in this area,  and resources/$$
to spend on infrastructure, I wouldn't recommend "storing" credit card
info, period.

To just process credit cards you need a merchant account plus an
account with an authorization  gateway (e.g. Authorize.Net). That's
not too hard to set up. The Authorize.Net API is well documented, at
least; can't speak to other providers.

HTH,
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com

Thanks for everyone's help. This software is unique in that I have to 
accommodate return business, because most of our business will be return 
business. I don't want to make the customer enter their CC info every 
time they checkout. Amazon, target, etc store credit cards.

Our company has a cabinet in a data center with 5 servers, so I have the 
infrastructure. I was just trying to figure out why all of it needed to 
be separated out into another app. To me, if someone compromises our 
server they can figure out a way to get the CC info. Separating it out 
is just another hurdle to jump, but doesn't really stop them. I feel 
like I am just setting up a lot of hurdles but nothing is really fool 
proof.

On Sat, Aug 16, 2008 at 12:31 PM, Ben Johnson
<rails-mailing-list@andreas-s.net> wrote:
>
> Thanks for everyone's help. This software is unique in that I have to
> accommodate return business, because most of our business will be return
> business.

Uh, hardly unique. And you don't necessarily have to store card data
to handle return business. One example:

<http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/>

> Amazon, target, etc store credit cards.

And if so they've spent lots of bucks, to make sure their systems are as
secure as possible (and meet the card-issuing companies' very stringent
requirements -- which you'd better be aware of before heading down this
road!).

> Our company has a cabinet in a data center with 5 servers, so I have the
> infrastructure.

I was talking about full-time security people, multiple firewalls, etc.;
"5 servers in a data center" ain't it. :-)

Good luck, though. Hope not to see you in the headlines :-)

--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com

Use Authorize.net CIM to store the card info and get back a token you 
can
use for future billing.  Use the ActiveMerchant library to talk to the
gateway.  You don't need a separate app.

--
Benjamin Curtis
http://railskits.com/ - Ready-made Rails code
http://catchthebest.com/ - Team-powered recruiting
http://www.bencurtis.com/ - Personal blog





On Sat, Aug 16, 2008 at 12:31 PM, Ben Johnson <

Ditto everything Hassan says, particularly the "5 servers" and
"headlines" part.

You may also want to take a look at Active Merchant - 
http://www.activemerchant.org/
- a Rails plug-in (also gem) for dealing with credit cards and payment
processors and shipping. There's even a Peepcode tutorial -
http://peepcode.com/products/activemerchant-pdf

-- Bosco


On Aug 16, 1:07 pm, "Hassan Schroeder" <hassan.schroe...@gmail.com>

Ben,
You may want to look at the ActiveMerchant PDF published by PeepCode.  I 
found it to be the best and most detailed discussion of credit card 
payment handling.
http://www.peepcode.com
Hope this helps.
Bharat

Ben,

Go with Hassan's and Benjamin's suggestions. I work at the credit card
industry and liabilities are just too high to risk...

Cheers, Sazima

On Aug 17, 11:47 am, Bharat Ruparel <rails-mailing-l...@andreas-s.net>