Best practice: Don’t add credit card fields to forms in Forms Manager

This article refers to our legacy product, Forms Manager. For the best Finalsite experience, we recommend using our newest product, Forms, which is already available to you in your modules list. To learn more, please review our New Forms FAQ or Compare Forms and Forms Manager.

In order to comply with Payment Card Industry (PCI) data security standards, the credit card payment element of online transactions is distinct from the forms themselves. If a form is set up to collect a credit card payment, users click "Submit" and are then brought via a secure connection to a separate, short form where they fill out their payment information. If you've ever bought something from Amazon or most other e-commerce sites, you'll be familiar with the separated form process. This compartmentalization allows the transaction details to be contained entirely within an isolated, secure environment, while the other form response details remain available on your server to be logged and reviewed at any time.

One thing that you might do to ease the users' transition between these two forms is to change the text of the Submit button on your form to read something like "Continue to Payment." To find out how to do this, see our Knowledge Base article Change the text of the Submit button.

Note: Do NOT add text fields to your forms meant for users to enter their credit card information. Forms Manager will store these values unencrypted, which can lead to major security issues.

The separated-forms procedure has been thoroughly tested for security, speed, and convenience. Using this method, your users' credit card data and personal information is never exposed via an unsecured connection and PCI compliance is maintained. If, on the other hand, you simply create text-entry fields on your form to capture credit card numbers, it is possible that that data could be read by a third party. (Think of a user sitting at a coffee shop and using an open wifi connection to make a purchase from your site. There is a chance, however remote, that another customer with the right software could eavesdrop on your user's interactions with your website. Without a secured web connection, all of the information on your user's purchase could be read by the eavesdropper!)

The law is not often clear on these sorts of issues, but it is entirely possible that your institution would be liable for any financial loss incurred by a user whose identity or payment information is compromised in this manner. This is a mistake that could be very costly! For these reasons, Finalsite insists that all credit card transactions take place through the established payment gateway. Fortunately, setting up a payment gateway is an easy process. Read the Knowledge Base article Enable payments on a form for further details on how to set up payments on your website.

Was this article helpful?
3 out of 3 found this helpful



Please Sign in to leave a comment if you don't see the comment box below.