[pmwiki-devel] database tools and hacks in PmWiki
crisses at kinhost.org
Sun Dec 10 12:49:08 CST 2006
On Dec 10, 2006, at 1:13 PM, marc wrote:
> Crisses said...
>> I have thought through the product/service end of the shopping cart,
>> but not the order storage end. Storing credit card/bank information
>> in flat files is absolutely out of the question for me
> This isn't necessary. All the payment gateways I've used don't require
> it and it's better to steer clear of the legal issues. Repeat payment
> mechanisms are almost always available too. Even if you wanted to
> collect CC info to pass through on a secure connection, there's no
> to store it.
If you've ever programmed an API for a payment system, you're ahead
I was only READING the documentation for the QuickBooks payment
gateway the other day, and YES, one would be dealing directly with
the payer's credit card info on the PHP/pre-API end. We're talking
100% must have SSL, etc. Must store info, except the handy-dandy
code on the back of the card that we shouldn't even be requesting the
user to enter, and absolutely MUST NOT store.
>> one reason I
>> love PayPal from a liability/programming point of view -- absolutely
>> no need to store financial information on the system.
> Well, I loath PayPal - and enjoy a steady stream of work moving folk
> away from them :-) - but collecting payment info prior to
> commencing the
> payment transaction is not a requirement with any of the payment
> gateways I've used.
If you have the experience, again, you are far far ahead of me. For
me, it's all theory. I'm reading up on things. If your payment
processors are storing customer's info so you can request returns or
issue credits, etc. then it's better than what I've seen & read so far.
If you have experience with shopping carts and payment processors,
could you please give comments and contributions to the ideas for the
shopping cart for PmWiki, or write one? I am struggling with the
amount of complexity behind it. If you have dealt with the payment
processor APIs and would like to see a shopping cart system in
PmWiki, can you help?
>> The moment the
>> shopping cart system requires working with other merchant processing
>> systems that require the shopping cart to handle sensitive financial
>> information, we're entering very mucky territory in the way PmWiki
>> handles data. You must store the customer's credit card in case of a
>> product return, or needing to issue a credit, etc.
> This isn't how it works, in my experience. The payment gateway
> an interface that allows you to access the transaction and either
> or make a part repayment. At no point do you need the credit card
That's not what I've seen. I would welcome a list of payment
gateways, but note that some customers come with an API/system they
want to use because it's tied in with their in-store terminal
already, or their bank, or some other deal they've already signed on
The rest I do encourage to use PayPal, at $0 up-front costs, and most
of my customers are probably under $1000/month sales.
>> But you can't store it in a text file.
> Why not? Technically, I mean, since I don't this either.
Technically? Of course you can. Why not? Because most people are on
shared hosted servers. That means they can get the www process to
peek at your file system, maybe. Possibly.
>> Do we use GPG? That doesn't work, because the web server would need
>> access to the keys. It's a pain, and so far a database is the best
>> answer I have.
> You could store the key outside the web space and include the file.
See about shared hosting situations. I don't trust flat file storage
on multiuser systems.
Heck, nowadays you can't trust your hosting system's employees not to
steal customer info and sell it -- even banks and financial
institutions can't trust their employees. In a court if someone said
"How did you protect your customers' information" I want to be able
to honestly say I used all reasonable means. Flat files are not all
reasonable means. I have yet to have a hosting situation where I
can't get access to a MySQL database if I want or need one. It's not
the most secure thing ever, but it's one of the reasonable and
securer means. The safest is to abstain entirely from storing any
More information about the pmwiki-devel