Hi everyone. My company would like to set up a 2 page site with an online order form to purchase a product we are selling. We would like to accept credit cards on here. I know there are sites out there that we can download the script for a shopping cart, but I don't think our server is up to date for the requirements of what these plugins need to work and we don't want to have to pay for a hosting plan. So we were just going to set up 2 simple pages for the customer to choose what they want and a price would go into a shopping cart form where they could enter their credit card information. This page would be an HTTPS page. I'm just wondering if I create a page that is secured this way, is it secure or not? Or do I need to go through one of those web sites that has a shopping cart built already so it's more secure? We were not going to insert this info. into a database. We were going to email it to our info email using Cold Fusion. Will that email being sent to us, be secure? Does anyone have any suggestions otherwise how to set up a simple shopping cart? We don't have part numbers with prices. A formula is going to be used to figure out what the price should be depending on what the customer chooses. Thanks.
Hi Andy, The email you send with the order info will not be secure. You could send an encrypted email but I would not recommend that workflow. I would recommend using a third party service to handle the credit card interaction. The third party will host the payment form and accept the credit card so it never hits your server -- this is important because if your server does see the credit card or host the form where the credit card is entered you will have to go through a more rigorous PCI compliance process. There are lots of credit card gateways that provide this -- I would strongly recommend leaning on the gateway to handle as much of it as possible -- so instead of emailing all the info, you can email some basic info and instruct your user to login to the gateway to view the order info. You don't need to install a shopping cart on your server to integrate these, and if you do install a cart it is important to keep it up to date (old shopping carts may contain security holes). Here are some options, there are loads more but these are among the most popular: https://www.braintreepayments.com/features/drop-in https://www.braintreepayments.com/features/hosted-fields https://stripe.com/checkout https://stripe.com/docs/stripe.js https://www.paypal.com/
I can't +1 what Pete says here enough. Avoid doing this in house like the plague. The infrastructure and checks and balances you need to securely process credit cards in-house would far outweigh any costs you might incur using a third party for payment processing. I've used both Stripe and PayPal and both work very well with ColdFusion.
Thank you very much for all the info. I am thinking of using that stripe.com site. I haven't signed up yet with our bank account info. yet, but I was just trying to make a page have the HTTPS connection. How do I do that? I see the SSL certificate we have on our order pages, but I need to create a different shopping cart under our same domain name. I have this code below on a test page, but the HTTPS does not display in the address bar:
<title>Test Order Page</title>
<form id="payment-form" action="test_elastomer_order.cfm" method="POST">
<input type="text" size="20" autocomplete="off">
<span>Enter the number without spaces or hyphens.</span>
<input type="text" size="4" autocomplete="off">
<input type="text" size="2">
<span> / </span>
<input type="text" size="4">
I am not sure of your setup, but if you have a working SSL certificate installed on your web server already, you simply have to access the page using https:// instead of http:// in your browser.
Yes, we do have a working SSL certificate. When I look at the info. for the certificate it says we have the SHA-1 encryption and our connection uses TLS 1.0
I set this test page up on our site: http://www.ironwoodelectronics.com/test.cfm This has a link to the elastomer.cfm page and I put an absolute path to it like this: <a href="https://www.ironwoodelectronics.com/elastomer.cfm">Test Elastomer Order</a>
What if we just wanted the user to type this: www.ironwoodelectronics.com/elastomer.cfm into their address bar and it wouldn't be a link from another page. How do we make it secure then? Is this page secured just because there is an S after the HTTP? Is there something else I have to put on the page to make it secure?
If the page has a certificate and has HTTPS then it will be secure.
If you need the page to be HTTPS when a person visits it directly then you will need to do some form of redirect using the web server to redirect HTTP to HTTPS. This depends on the web server you are using (IIS, Apache etc). I would recommend asking whoever looks after your web server to deal with the redirect, a wrong redirect will render the site unusable.
You can setup a redirect on the web server as haxtbh mentioned and that is a good approach, you can also do this in your CFML code on the top of your page:
<cfif cgi.https IS NOT "on">
<cflocation url="https://www.ironwoodelectronics.com/elastomer.cfm" addtoken="false">
Thanks. I used the code you sent on the elastomer.cfm page. It works. Now I just have to figure out how to use one of those e-commerce sites.