My company wants to start a subscription based website and I'm implementing it with a payment gateway.
The problem is, this payment gateway doesn't give me any tools to encrypt the client's credit card information before it reaches our server.
So my question is, how should I handle this very sensitive information?
I don't plan on storing it or anything, just send it straight from the server to the payment gateway for validation.
Are we even allowed to handle plain text credit card information?
I know this is a very open subject, I just want to get directed for somewhere I can read and understand more about this issue.
You’ll almost certainly need pci compliance, and with the setup you’ve described, you’ll need the broadest scoped assessment. Not something you want to approach light heartedly.
If you already have industry standard security in place, then it shouldn’t be a big leap to PCI compliance, but most don’t have that. In general the approach to take is to reduce your scope, you could do this with a third party offering like an iframe or redirect, companies like Stripe offer solutions to do that. In that case you may be able to get away with SAQ A, otherwise you probably need SAQ D. This also depends on your volume, if they’re higher you’ll need a report on compliance (roc), which can be expensive and are needed annually.
You can have a chat with your merchant bank, since they are the ones generally requiring the compliance. They can be very helpful, presuming your service isn’t live.
Check out the pci council website, loads of info on there to get you started.
I'm looking for some feedback from entrepreneurs or developers that have used either Chargify or Recurly to handle their recurring billing.
More specifically, I sell a hardware device that works in unison with a companion application and charge a subscription for the functionality of the companion application. I sell both b2b and b2c. Thus, I need a recurring billing platform that can handle a single unit purchase as well as a 10-20k wholesale purchase and be able to track quantities sold. I've noticed Chargify lacks the ability for me to track quantity. Further, we have highly targeted, customized landing pages on HubSpot and would need the two platforms to integrate nicely.
Has anybody had experience with either of these platforms? What do you like and dislike about the functionality and capabilities? Which do you recommend based off what I would need it to accomplish? Alternatively, is there a different platform that you would recommend?
Regarding "I've noticed Chargify lacks the ability for me to track quantity." - Chargify is able to handle this with what they call "components." Your use case is very common and definitely doable via Chargify.
I am looking for simple analogies to explain windows azure, app fabric, etc to students or layman person. Please let me know if you have any suggestions.
Thanks
N
Well, first I would try and talk about how we used to build and maintain things. Buying our own hardware, building it, programming it, and connecting it to the internet. That's the old way. Then, I would pivot into what cloud service providers are. In a nutshell, they are just somebody else's servers. Usually Amazons, Microsoft's or Googles servers. AWS/Azure/GCP.
Here is a quick youtube video explaining it in layman's terms.
https://www.youtube.com/watch?v=1ERdeg8Sfv4
Cloud service providers offer web portal, a website, where folks can click and build services like storage, backup, DNS, database, more websites, load balancing, and - maybe the most popular - virtual machine hosting.
What makes CSPs so successful is economies of scale. CSPs will build huge data centers and engineer them to provide the kind of services that most businesses need. COntrast that to if every business were to build their own from scratch. There are however lots of challenges to these CSPs, like needing a lot more spare capacity and having to build something that fits everyone as opposed to something that fits a particular user. So, for a small business, whether they save money depends on their use case. You might save more building from scratch, but then you'd have to train and pay folks to maintain your own servers.
One of the most revolutionary benefits that cloud service providers brought into the market is that purchasing additional capacity is much easier and faster. You might have taken weeks to buy hardware and install it at your location. Or if you are renting though traditional suppliers you might take a few hours to let them manually reconfigure things. However they now make everything automatic so you can get a new server within seconds. This have allowed businesses to build their applications to allow them to scale on demand. This means that they pay different amount of money for the services depending on how much they use. This have the ability to reduce costs but it again require more time to develop and maintain the more complex applications.
I'm working on a project where we collect payments from users using credit/debit/PayPal payments.
The service is taking payments from users on behalf of a 3rd party organisation.
Once we take the payment, minus fees, we want to transfer the amount to the organisations bank account.
For now, what we can do is pay the organisation using Online Banking BACS bank transfer.
But I would like to know if there is a way to do this automatically using an API.
If we need to somehow register the 3rd parties bank account details before making transfers, this is fine.
We just want to automate the whole process, since at the moment the transfer is a manual step.
Are there any gateways or APIs I can use for this? In the UK?
As this is still un-answered I'll throw my hat into the ring.
For the benefit of non-UK users, the UK has a central clearing system called Bacs, which is run by the major banks in the country. However, companies can also makes submissions directly to that clearing system, by using Bacs Software.
There are a number of companies that sell on-premise and online services/APIs that allow you to send money directly via Bacs (and collect Direct Debits).
DISCLAIMER: I currently work for a software company (Bottomline Technologies) which sells a Bacs API - I won't mention the product name and to see alternative companies you can simply Google for 'bacs software api'
Hope this helps
You are going in the wrong direction. You should talk to payment processors (which may or may not include your bank) about the business considerations, which probably are more important than the technological considerations. Generally you can expect something somewhat reasonable that you will (after fiddling with it enough) be able to convince to work. It doesn't matter whether this involves some sort of api library, soap calls, or other communication method.
If you honestly consider having the technological considerations more important than the business considerations, then just go with Paypal and don't write your own shopping cart stuff at all. This is easier to use and will do more of the heavy lifting for you, but which will also probably charge you more.
Once you create a real shopping cart and start handling payments yourself (i.e. taking in CC information and sending it to a payment processor), you start getting into a mess of legal and technical concerns involving PCI compliance and the like, which will apply regardless of your choice of payment processor*.
*This is US-specific, but I bet the UK has something similar.
Ok, so I'm building "Web 2.0/3.0" sites to make extra money. I currently run my own personal project sites with some advanced technology in the backend (AI stuff, recommendation system) that I've developed over the years. It's a subscription site for me to make money on the side.
Now, my company (they do web application/software technology, ad network) somehow found out I run several websites. They were like, "Hey Joe, you run so and so websites! Why not put them on our ad network?? The stuff you're doing is a threat to our technology -- we don't want you competing with us on the side. Let us have your websites and put it on our portfolio/ad network."
Ok, basically it seems they want the rights to my technology and personal project. Somehow they must've googled my name and linked it to some projects I'm working on on the side. Is this ethical for a company to do? Trying to own my personal project since it's got some cool technology and trying to own the rights to it? Just because I work for the company doesn't mean I'm gonna make an offer to them, right?
You probably need to consult a lawyer. What were the terms of your employment that you agreed to when you were hired? Was there a non-compete clause? Was there a required disclosure clause?
Depends on your employment contract. Your contract might say something like "anything you do, while in the employ of company XYZ, be it during work or non work hours belongs to us". It's time to talk to a lawyer, not ask StackOverflow, this isn't a technology/programming question.
Ethical? Yes, why not. If you're putting stuff out on the web and they can find it via Google, then why shouldn't they? If you don't want people to find stuff you've done on the web then don't put it on the web or use a robots.txt to hide it from Google. It's not completely unreasonable for them to at least wonder if you may be using technology that you developed while you were working for them.
Legal--maybe so, maybe not. Depends on the employment agreement that you signed when you joined the company. I'd consult an employment lawyer for real advice rather than asking here.
They may have web logs that demonstrate that you were working on your private web sites during work time--if you did so. I'd be very careful in how I proceed if I were you.
check your contract, and/or your state laws and case precedents. Talk to a lawyer.
IMHO it is unethical for them to attempt to take your intellectual property without compensation, even if you have a 'all your codez are belong to us' kind of work-for-hire agreement. But talk to a lawyer, and be prepared to walk, get sued, and countersue, if necessary. Someone trying to steal your lunch money is a bully and a thief, but they may just have a legal claim.
Unfrotunately, this is not a joke. Talk to a lawyer right away.
If what you do in any way competes with what your company does or uses technology, intellectual property, information or contacts that you gained because of your employment with your company, then you may have issues and should check your contract and see a lawyer.
The other side is: did you ever work on your sites (and this can include sending emails and the like) your personal projects at work? If so, you may be in trouble there too.
IANAL so that's all I'll say on the legalities.
You need to consult a lawyer to get a definitive answer to this question. The answer might depend on your employment contract, and the laws in your locale. Don't rely on anything people say on the internet regarding legal matters.
Regardless of whether or not it's within their rights to do so, I think it's unethical and foolish of them to pressure you like this. I imagine they have just lost any employee loyalty you might have had.
I think a proper response could be, "if you think there's ad revenue potential in my websites, make me an offer that reflects their value, and I'll consider it." After all, you started those sites to make money, right?
But first talk to a lawyer, to be sure you're in a position to negotiate.
Well a friendly way to go about it, and that they should probably be willing to accept if they are a reasonable lot, is to buy/lease your technology. This way you can get a nice sum of money for your work (since you mentioned the purpose of this site was to make extra money in your question).
Otherwise (if its a pet project first and foremost) you might as well tell them in a friendly manner that you keep that site as a hobby, and you'd prefer to not share it if thats ok, unless they let you work full time on your and a cut in the earnings, etc... (something most people would love to do, work on their pet projects and get paid a stable salary for it).
As always first try to reason with the other party in a civilized and friendly matter, it'll likely make both parties happier, and it'll be better than taking the legal route most of the time.
I am Not a Lawyer, and the laws almost certainly vary by country/state/province. But if you are working on a side project on your own time, on your own equipment, using only your own network resources, etc., then in my opinion, they have no right to your work.
If you signed some sort of vague non-compete contract, or something that says all the stuff you do on your own time is theirs, then you have less of a leg to stand on.
Your best bet is to ask a lawyer, if there's enough revenue from your subscription base to justify it.
Consult a lawyer! Regardless of your contractual obligations, any company has a right to be concerned if one of their employees is running a direct competitor on the side, especially if they can demonstrate that you have access to privileged information which you are using to compete (knowledge of their technologies, marketing strategy, customers etc).