PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Save creditcard info

  1. Hi guys,

    My client owns a hotel and wants to make a booking form which includes credit card info.
    This info is used just in case the client won't show up. So it's not used to pay right away.

    But since this info needs to be secured when they send an email I was wondering if I can do that with Gravity Forms?

    Posted 6 years ago on Tuesday November 27, 2012 | Permalink
  2. David Peralty
    Administrator

    Unless you have a database security expert on hand, it is recommended that you don't do this. Gravity Forms stores data in the same database as the rest of your WordPress blog, and as such, it isn't the most secure location for credit card details. You could have the data removed immediately upon submission of the form, and only e-mailed to an account, but in my opinion, e-mailing this data isn't very secure either.

    While Gravity Forms is great at collecting data, you might want to consult with an e-commerce expert before you start taking credit card information.

    Posted 6 years ago on Tuesday November 27, 2012 | Permalink
  3. Hi David,

    Thanks for your reply. I understand what you mean. I saw the Authorize.net plugin for GF but is this maybe something for me?

    I only need the card number.

    Posted 6 years ago on Tuesday November 27, 2012 | Permalink
  4. We cannot prevent you from collecting credit card information. If you collect the information with your form, it will be submitted in plain text unless you encrypt the traffic with SSL. If you use SSL, the notification could contain the credit card info, and the entry and database will store the information as well. All those points need to be secure. The burden is on you to keep your customers' credit card information safe, and there is a whole set of standards to comply with.

    https://www.pcisecuritystandards.org/

    It's incumbent on you to comply with the applicable standards when you collect credit card information.

    Posted 6 years ago on Saturday December 1, 2012 | Permalink
  5. cobhamVF
    Member

    Can I ask for a continuation of this topic because clearly it is one of significant importance. Firstly I have been confused by Chris comments as stefsurges is asking about the Authorize.net plugin and your documentation clearly states:

    <<Start of copied text>>
    About The Credit Card Field

    The Authorize.Net enables the Credit Card Field in Gravity Forms. This field appears in the Pricing Fields toolbox of the Form Editor. This is a new field type that makes it easy to capture credit card information. It includes integrated card type detection so the user does not have to pick which type of card he is using and it also has built in validation to validate that the card format is correct.

    This field does not actually store the Credit Card data. It is available as part of the initial form submission strictly as part of integration with the Authorize.Net Add-On and other payment gateway add-ons. This data will not be stored as part of the form entry and is not retained by your site, server, or database.

    If you Preview or view your form on a page that is not secure, it will be obvious, both to you and your users if you do not properly secure the page. If the page is unsecured the Credit Card Field will be highlighted with a red warning. This warning will not be displayed if the page displaying the form is loaded via https with a valid SSL certificate.
    <<end of copied text>>

    Certainly if this is not the case (or even if it is) I would suggest to the gravity team put up a disclaimer somewhere to a) protect themselves, b) help their customers to avoid making easy mistakes that could cost them a significant penalty.

    Also just not storing/transmitting card data is not enough to be PCI DSS compliant - this is something you should make customers aware of.

    If you are storing/transmitting any of the cardholder data you need to be careful.

    A potential disclaimer:

    Unless you really know what you're doing don't attempt to use the Authorize.net plugin

    You may be liable for any fraudulent use of your customers payment information due to lack of security on your server/data storage & transmission processes.

    PCI DSS compliance is complicated, there are several possible levels of adherence that depend on the way you integrate with your payment gateway/merchant services:

    A range of self assesment forms can be downloaded at:
    https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0

    SAQ C - the easiest adherence to gain for online payments: relevant section of the PCI Security website is: SAQ C - https://www.pcisecuritystandards.org/documents/pci_dss_SAQ_Instr_Guide_v2.1.pdf and

    Key points that any Merchant must follow to be compliant:

    Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
    The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
    Your company store is not connected to other store locations, and any LAN is for a single store only;
    Your company retains only paper reports or paper copies of receipts
    Your company does not store cardholder data in electronic format; and
    Your company’s payment application software vendor uses secure techniques to provide remote support to your payment application system.

    Posted 6 years ago on Tuesday December 18, 2012 | Permalink