1

I am currently planning a new website for a local car hire company. They want a form where a user can input their personal details, select the car they want to hire and when they want to hire it etc. They do not want to take any form of payment on the website, but still insist on taking the user's credit/debit card details that they will then process on their card terminal at the time of hire when the customer picks up the car.

I have looked into a few options about how to achieve this, but keep stumbling on the card details gathering point. One option I have looked at is using WooCommerce (I am building on WordPress) along with this plugin https://www.wplab.com/plugins/offline-credit-card-processing-woocommerce/.

I am looking for any suggestions on a suitable and secure way of gathering the card details with this reservation form, with or without the use of WooCommerce.

Craig
  • 25
  • 4

2 Answers2

3

Do everything you can to avoid taking credit card details, especially in the case where you're not actually performing any charges against them. Otherwise, you open yourself up to a whole new world of pain, the least of which is ensuring that your whole system design is PCI compliant.

I would try to find out why they think they need the card number ahead of time. When the customer gets to the physical location, the business will get a lower rate from the payment processor if they perform a card present transaction, which means it's actually cheaper for them to not collect the number ahead of time. That alone should be enough of an argument to sway them. If they insist on still taking the card numbers offline, hit them with a huge quote to make your system PCI complaint. It is no joke.

Alex Howansky
  • 50,515
  • 8
  • 78
  • 98
  • Thanks for your reply. I do want to take this approach you are suggesting, the whole card details part of the form is making me uneasy. I guess it is just a case of contacting them and letting them know this is not the best option. I have looked at the PCI compliancy stuff also and it does look a bit of a nightmare. – Craig Apr 18 '17 at 14:41
  • To add, you will also need to pay a huge sum for the auditing, and a huge sum if found out you are collecting card info without being pci compliant – frz3993 Apr 18 '17 at 14:48
  • If you have to take cards, use a 3rd party service like Square or PayPal, then the burden falls on them and you're just implementing an API. You could authorize a nominal fee like $10 to reserve the car, then void it when the customer shows up, and give them the option to pay with whatever means they have on hand. – Alex Howansky Apr 18 '17 at 14:50
0

Use a secure SSL connection for a start! Try a Credit Card validator such as https://framework.zend.com/manual/2.4/en/modules/zend.validator.credit-card.html

delboy1978uk
  • 12,118
  • 2
  • 21
  • 39