Adding a secure form to a website...?

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
With no training in web development or HTML, I only have a basic understanding of HTML. I occasionally make minor changes to my employer's website (a local cableco).

We want to add a form to the site so customers no longer need to complete a physical paper form to configure automatic payments. I've been asked if it’s something I can do with minimal expense, or if we have to pay someone outside the company.

Customers would submit sensitive data using this web form (personal info, bank account number or CC number), so it has to be secure / encrypted. If I understand correctly, we need a security certificate from a 3rd-party authority. Our NOC can install the certificate on the web server. Out of curiosity, I checked VeriSign’s site and it's several hundred dollars for the cheapest option.

Questions:

1) Is it foolish to do this myself?

2) What other certificate authorities are supported by all major browsers?
(IE, Firefox, Safari, Chrome, Opera, Mobile Safari, etc)

3) Which certificate authority is the most affordable?

4) If there are no affordable certificates, are there cheaper options, like re-directing to a certified third-party?


Thanks!
 
Last edited:

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
Yes, under these circumstances and given that your employer is a cable company that collects consumer financial information, it is foolish to try to do this yourself. My recommendation is to hire some professional help.

Bear in mind that the certificate and encrypting the transmission of the data is only part of the overall problem. What do you do with the data on the back end? Where do you store it? How is that store protected? What procedures are in place to assure that the information consumers send in is never compromised? This stuff isn't hobbyist territory any more.
 
Last edited:

Saint Nick

Lifer
Jan 21, 2005
17,722
6
81
If I were you, just set up a PayPal portal. They'll handle the encryption for you and the payment processing. It doesn't really get any easier than that.
 

AyashiKaibutsu

Diamond Member
Jan 24, 2004
9,306
3
81
You're going to need to get into the code side of their webservers to setup something like that. It's not something you're going to get done just changing some HTML.

This seems like something along the right lines: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.encrypt.aspx

I don't have to do any encrypting on the website I maintain/write so I don't know if that's actually good enough for something you're looking to do.
 

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
Bear in mind that the certificate and encrypting the transmission of the data is only part of the overall problem. What do you do with the data on the back end? Where do you store it? How is that store protected? What procedures are in place to assure that the information consumers send in is never compromised? This stuff isn't hobbyist territory any more.

We already have an industry-standard billing system that processes the transactions and stores the billing info. The submitted info simply needs to reach a specific individual in our company (the same person who receives the written form). This person would enter the info into our existing system the same way it's done with the paper form. The only thing I need is a secure way to get the submitted info directly to that person. Our site won't actually process transactions or archive the data.

I assume the paper forms get filed away somewhere. In that case, it would make sense to print the submitted data, enter it into the autobilling system, file the hard copy along with the written forms, and purge any digital copy.

You're going to need to get into the code side of their webservers to setup something like that. It's not something you're going to get done just changing some HTML.
It's not a big deal for our NOC to purchase the cert and install it on the webserver. I just want to know if it's cost-effective.
 
Last edited:

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
godaddy is a pretty cheap option for certs. The standard pricing they offer is cheap, BUT if you look around there's a 'compare' link or something on their site which will give a significant &#37; off. Or google it. :)
 

Ka0t1x

Golden Member
Jan 23, 2004
1,724
0
71
I think you'd be crossing the lines of PCI compliance if you needed to even store the record for, a few minutes.

I think this is the point Mark was trying to make. You can't just submit a form and NOT process/store the data for later use.

Even though this sounds like a small shop, you still need to be very careful with the type of data you're wanting to collect.
 
Last edited:

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
You're a bit confused, so I'll clarify: We already have an industry-standard billing system that processes the transactions and stores the billing info. The submitted info from this form simply needs to reach a specific individual in our company (the same person who receives the written form). This employee would enter the info into our existing system the same way it's done with the paper form. The only thing I need is a secure way to get submitted data to that individual in our company. I don't need to process or archive the data.

As Ka0t1x pointed out, you do need to store and process the data. Or at the very least process it. I'm not trying to analyze your requirements here, but based on what you've told me you don't possess all the skills needed to do this task in a secure manner. If your employer happens to be a public company then the straight answer is you can't do it. They'd get SOX shoved up their tails at the next audit. If it's a private company with much in the way of assets to lose, and they let you do it, then they're big risk takers.

Anyway, I'm repeating myself. That's my professional opinion.
 

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
Thanks, everyone. I'll see if there's a way to get the auto-payment stuff added to our online bill-pay site (already secure, managed by a 3rd party).
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
I think you'd be crossing the lines of PCI compliance if you needed to even store the record for, a few minutes.

I think this is the point Mark was trying to make. You can't just submit a form and NOT process/store the data for later use.

Even though this sounds like a small shop, you still need to be very careful with the type of data you're wanting to collect.

It could be really simple if you just attach a printer to the server and have the web form print the data without ever saving it. =)
 

CurseTheSky

Diamond Member
Oct 21, 2006
5,401
2
0
I'm a web programmer / developer, and I'm responsible for creating and maintaining forms (both secure and insecure) on literally tens to hundreds of websites.

To answer your questions:

1) Is it foolish to do this myself?
That depends. If you're comfortable with programming in general and have just never dabbled in web programming, it's not all that difficult to do. You will probably need to setup your own databases, then create the form, and finally install all necessary certificates / other software. If you're not comfortable with programming or only have basic knowledge of it, leave this for a pro.

2) What other certificate authorities are supported by all major browsers?
(IE, Firefox, Safari, Chrome, Opera, Mobile Safari, etc)

I can't say for sure, but I'd imagine all of the major certificate authorities.

3) Which certificate authority is the most affordable?
Again, I can't say for sure, but I'd imagine they're all around the same price. I do the programming, I don't deal with billing.

4) If there are no affordable certificates, are there cheaper options, like re-directing to a certified third-party?
That's opening a can of worms. As others have said, there's more than just securely capturing the customer's information. You have to either process it immediately and then discard it (not recommended - what if there's a hiccup in your system, or in a third-party's?), OR you have to have a way to secure customer data on the back end (databases). There's a lot more to the picture than just creating a secure form. On the other hand, you could always use something like Paypal to handle the billing, but you STILL need to keep customer data (name, address, etc.) safe somehow.

In general, here's how I would look at it. This should help you decide whether or not you should tackle this yourself:

- Create necessary databases / database tables to store customer and / or transaction data
- Create HTML form using a server-side language (such as PHP) to write customer data to database; use Javascript (not recommended) or server-side language to do error checking (incomplete fields, email address / telephone not valid, etc.)
- Install SSL certificate from authorized reseller
- Setup service such as Authorize.net to process credit card information
- Ensure security measures are taken to keep customer data safe; if your company already stores customer data in a database, great, it should be handled - but you have to figure out how to interface with that server / database, or secure the web server to ALSO store information

Good luck. PM me if you have any questions.
 

Ka0t1x

Golden Member
Jan 23, 2004
1,724
0
71
If they already have a billing system I'm sure the vendor has a plug-in or API style way of customer self-service.