Security of credit card data with Gravity Forms

Gravity Support Forums » Plugin Support » Gravity Forms

studio1
Member

Is it possible to securely accept credit cards with Gravity Forms without using the PayPal or Authorize.Net add-ons?

I would like to make a simple form in a WordPress page where a customer can place an order and enter their credit card info without the form submission going through a payment gateway.

The form submission would come to us instead and we would make a manual transaction at our Authorize.Net user interface in order to bank the money. We want to confirm the order with the customer by phone first before charging the card.

I don't know how this could be done securely with Gravity Forms without the PayPal or Authorize.Net add-ons. We have an SSL cert and the form would be posted with a secure (https) url but I have a couple of questions:

1. How do you send the credit card info securely when we receive the form submission in our email? Regular email channels are insecure.

2. Is it possible to store the credit card info securely in the database with the rest of the form submission entries or leave out the credit card info from the entry altogether?

3. What is the best way to accomplish this?

Posted 12 years ago on Saturday April 21, 2012 | Permalink
David Peralty

I wouldn't suggest collecting credit cards without a proper payment gateway as you shouldn't be storing credit card information yourself.

1. You don't need to have any notification set-up and even if you do set-up a notification, you don't need to include all_fields. You can pick and choose which fields to e-mail, leaving out the credit card information.

2. There is no way to securely store credit cards in the "average" database set-up. Big companies spend millions of dollars trying to secure credit card information, and I don't recommend you take this on yourself.

Posted 12 years ago on Saturday April 21, 2012 | Permalink
Drew
Member

Yeeouch

Maybe I still have some more learning to do.

We're on target to recreate this form using a new WP site and Gravity Forms

https://www.theriverviewinn.com/rvstie/index.php?option=com_content&view=article&id=2&Itemid=10

I'm not sure yet HOW the data is transferred. I believe the front desk manager logs into their site and gets the credit card info that way.

BUT wow... we certainly don't want cc data getting loaded into the WP database! What would you advise?

(by the way, that form above is *really* a *Reservation Request* - not really a Booking a Reservation... but the cc data is still potentially transferred (optional for the user)

Posted 12 years ago on Thursday August 2, 2012 | Permalink
David Peralty

You might want to find out where the data is currently going before taking this on. I would advise sending the data directly to a third party with secured servers so that if your server is ever compromised, it doesn't have user credit card information on it.

I know this seems extreme, but unless you have a really smart IT team dedicated to the security of the information stored in your database, I really don't recommend saving credit card information on your server.

You could hire a developer to encrypt the data before storing it in a database. You could have someone that is an expert in security make sure that the database is as secure as possible.That's really my best advice when trying to deal with credit card information yourself.

This is why we have add-ons for payment gateways, and why we recommend them.

Posted 12 years ago on Thursday August 2, 2012 | Permalink
Drew
Member

Thanks,

So do you mean using the Add-on - the Authorize.net add on - that this is solved? (we were going to go that route, using an add-on that is).

Posted 12 years ago on Thursday August 2, 2012 | Permalink