Payment Gateways
From Jomres v4 manual
Contents |
Introduction
Jomres is capable of using multiple different payment gateways. By default it comes with Paypal, "form" which is a simple form for taking and storing creditcard details on the server and "cheque" which outputs the property's address details for paying by cheque.
Before I go on, I must stress one thing: I don't like the "form" gateway, I only provide it because that's what people demand. Whilst it does store the creditcard details in a blob in the database I firmly believe that it's bad practice to store any client's creditcard details on your own server and if you can avoid it, do so. Payment gateway services have much more experience of storing such details securely and if you can you should always try to use a service such as Paypal. I'm not going to refer any more to the "form" gateway as I hope to discourage people from using it.
Gateways in Jomres
As I said before, Jomres comes with Paypal by default, but it can use others. You could create your own but it takes time and requires that you understand how the individual payment service's API works, so the better option is to purchase one, ready made. A company called OSDCS creates gateway plugins for a variety of different Joomla components including Jomres and to date they have 16 different gateways for Jomres.
Making your own gateway
This isn't a discussion on making gateways, there are too many differences between gateway services to be write a generic set of instructions. If, however you do want to create your own you should refer to the Gateway Aide Memoire which lists each of the files in a gateway and what they do.
Storing creditcard information in Jomres
Regarding storing creditcard details on your own server, I'll quote myself from the forums:
I think it's an extremely bad idea to store creditcard details on your server for security reasons, so the "form" handling in Jomres only provides the most basic of functionality (although the data is stored as a BLOB so it should be quite difficult to retrieve).
Apologies to those who'd like to store card details on their servers, but it's not unusual for Joomla servers to be hacked and it's just too risky to store that information on your own box.
Use a payment gateway, send the request to a PCI Compliant gateway service, let them worry about something that you're extemely unlikely to be an expert in : server and data security.
PCI Data Security Standard
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
"The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data."
The Real Cost of Data Breach
http://www.pcicomplianceguide.org/merchants-20090416-cost-data-breach.php
"the U.S. National Archives & Records Administration reports 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately."
"you might think that at least small merchants are safe because hackers and thieves only target big businesses with high sales. Unfortunately, you’d be wrong. Thieves know that large businesses have the resources to spend on sophisticated security systems and instead target smaller merchants where security is likely to be less effective."
"The bottom line? The cost of a data breach for a Level 4 merchant averages $36,000 and can be as high as $50,000 (or more). In other words, more than enough to cripple—or even destroy—a small business."
Please, if you can talk your clients out of it, try to convince them that it's smarter to use a payment gateway.
