Best Method for Submitting to Merchant Site

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Best Method for Submitting to Merchant Site

lizquigg
I have a form on my site that submits a transaction to Virtual Merchant.  Three of the parameters need to be hidden because they are account information.  I have tried various approaches.

1) server-side include with the three parameters, but they still show if you look at the page source.

2) calling an intermediate lasso page that combines the parameters from the form with the  three parameters and does a URL redirect.  Unfortunately this is the equivalent of a "Get" so the parameters are in the address bar.

3) making a lasso page with an  ] [Include_URL: 'https://www.myvirtualmerchant.com/VirtualMerchant/process.do',
-POSTParams=(Variable: 'POST_Params')] as described in the Language Guide. I changed the "action=process.do: to go to the VirtualMerchant process.do) The problem with this solution is that the customers are actually entering their credit card information on my site and not the Virtual Merchant site.  So I trade the problem of exposing the three parameters for another problem. My employer does not want me to taking in credit card information on our servers.

Does anyone have a solution using Lasso so I can hide these parameters and avoid taking credit card information from my web page?

Thanks,

Liz

------------------------
Liz Quigg
Fermilab
MS 226, Box 500
Batavia, IL 60510
630 840-2631
[hidden email]<mailto:[hidden email]>



#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Best Method for Submitting to Merchant Site

stevepiercy
The documentation for my AuthorizeNet_AIM covers your method 3.
http://www.lassosoft.com/tagswap/detail/AuthorizeNet_AIM
http://www.lassosoft.com/tagswap/detail/AuthorizeNet_AIM_9/

Some advice.

Never, ever store PCI data.  Let the professionals handle it and
accept the liability.

The two most common and secure options are:

(1)  Send the user to a third party website to perform and
complete transactions.  (PayPal button)
(2)  Serve a form over HTTPS, which POSTs data over HTTPS.  
AuthorizeNet_AIM does this.

For the latter, I usually POST the form data to my server.  This
is OK and compliant with PCI.  Then the Lasso code for the URL
to which data was posted performs some validation and logic, and eventually:

     #AIMResult = string(include_url(#AIMURL, -postparams = #AIMParamArray))

Then process the result with either a success or failure
message.  Do not provide details of failure to the user, as you
do not want to tip off Evil Peopleā„¢ about what specifically failed.

Now you don't have to use AuthorizeNet for processing
transactions, and any other processor will do (I'm using
BalancedPayments.com myself these days).  The concepts and
procedures remain pretty much the same.

Please feel free to ask for further details.

--steve


On 12/8/13 at 3:56 PM, [hidden email] (Elizabeth K Quigg) pronounced:

>I have a form on my site that submits a transaction to Virtual
>Merchant.  Three of the parameters need to be hidden because
>they are account information.  I have tried various approaches.
>
>1) server-side include with the three parameters, but they
>still show if you look at the page source.
>
>2) calling an intermediate lasso page that combines the
>parameters from the form with the  three parameters and does a
>URL redirect.  Unfortunately this is the equivalent of a "Get"
>so the parameters are in the address bar.
>
>3) making a lasso page with an  ] [Include_URL: 'https://www.myvirtualmerchant.com/VirtualMerchant/process.do',
>-POSTParams=(Variable: 'POST_Params')] as described in the
>Language Guide. I changed the "action=process.do: to go to the
>VirtualMerchant process.do) The problem with this solution is
>that the customers are actually entering their credit card
>information on my site and not the Virtual Merchant site.  So I
>trade the problem of exposing the three parameters for another
>problem. My employer does not want me to taking in credit card
>information on our servers.
>
>Does anyone have a solution using Lasso so I can hide these
>parameters and avoid taking credit card information from my web page?
>
>Thanks,
>
>Liz
>
>------------------------
>Liz Quigg
>Fermilab
>MS 226, Box 500
>Batavia, IL 60510
>630 840-2631
>[hidden email]<mailto:[hidden email]>
>
>
>
>#############################################################
>This message is sent to you because you are subscribed to
>the mailing list Lasso
>[hidden email]
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- --
Steve Piercy               Web Site Builder              
Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>