Best way to do secure donations?

Hi all,

I'm going to be setting up a donation system for a nonprofit client,
and I was originally thinking of basing it on a shopping cart system
to make it easier for them to upgrade, but I was thinking something
simpler would be better.

Basically, all they need is something small and secure to either send
them a (preferrably encrypted) email with the basic contact
information and credit card information or have it hide a protected
file with that information somewhere on the server and send them a
notification email. They have their own credit card processing, so
PayPal won't work.

Any ideas!

Thanks!

Anyone?

Actually, I should probably clarify this. It doesn't need to be
anything fancy, what I'm looking for is a SSL-capable encrypted
Formmail. :-) PGP would be nice, but if not, sending the information
in two bunches would be good.

wpalco124 (AT) techie (DOT) com (Mike) wrote:

Quote:

I'm going to be setting up a donation system for a nonprofit client,
and I was originally thinking of basing it on a shopping cart system
to make it easier for them to upgrade, but I was thinking something
simpler would be better.

Mike wrote:

Quote:

wpalco124 (AT) techie (DOT) com (Mike) wrote:
I'm going to be setting up a donation system for a nonprofit client,
and I was originally thinking of basing it on a shopping cart system
to make it easier for them to upgrade, but I was thinking something
simpler would be better.

Anyone?

Actually, I should probably clarify this. It doesn't need to be
anything fancy, what I'm looking for is a SSL-capable encrypted
Formmail. :-)

Not too sure what you mean but once you use SSL any form will be encrypted.

Quote:

PGP would be nice, but if not, sending the information
in two bunches would be good.

That works - you send the form over https and then process as pgp mail -
assuming you have a SSL cert and PGP on your server.

I have one client using exactly that process to collect confidential
information.
--
William Tasso

"William Tasso" <news27 (AT) tbdata (DOT) com> wrote:

Quote:

That works - you send the form over https and then process as pgp mail -
assuming you have a SSL cert and PGP on your server.

OK, cool! I think I'll probably do that: run formmail on https. I am
running PGP but not overly familiar with it's web integration
features. How would you export the formmail to PGP and then have it
send?

Mike wrote:

Quote:

"William Tasso" <news27 (AT) tbdata (DOT) com> wrote:
That works - you send the form over https and then process as pgp
mail - assuming you have a SSL cert and PGP on your server.

OK, cool! I think I'll probably do that: run formmail on https. I am
running PGP but not overly familiar with it's web integration
features. How would you export the formmail to PGP and then have it
send?

Here's how it works on my server.

Form sends data using POST and SSL to Script
Script creates text file
Script calls PGP to encrypt text file
Script mails encrypted text file to target
Script deletes text file

As I said - you must have a PGP engine on your server. I expect details
vary by O/S.

--
William Tasso

"William Tasso" <news27 (AT) tbdata (DOT) com> wrote:

Quote:

Here's how it works on my server.
Form sends data using POST and SSL to Script
Script creates text file
Script calls PGP to encrypt text file
Script mails encrypted text file to target
Script deletes text file

What are you using for the script? A CGI? PHP? Or a formmail hack? I'd
be interested in seeing that if it's OK. Or is there a similar thing
available on CGI RS or another site?

Mike wrote:

Quote:

"William Tasso" <news27 (AT) tbdata (DOT) com> wrote:
Here's how it works on my server.
Form sends data using POST and SSL to Script
Script creates text file
Script calls PGP to encrypt text file
Script mails encrypted text file to target
Script deletes text file

What are you using for the script? A CGI? PHP?

ASP / vbScript

Quote:

Or a formmail hack?

I'll just ignore that ;o)

Quote:

I'd be interested in seeing that if it's OK.

You're welcome but it's fairly trivial - the important thing is to get the
certificate and a pgp component/library/whatever installed on your server.

I'm guessing you can cover the certificate - here's some stuff about PGP
http://www.gnupg.org/ that doesn't cost a small fortune.

Whichever PGP engine you use will probably come with an example script or
two. If you're lucky the author may have set up a support forum or similar.

Quote:

Or is there a similar thing
available on CGI RS or another site?

I think it's a fairly common technique. The only other thing I can think to
add is: make sure the text file is saved into a directory outside of your
web space during the PGP encryption, otherwise you risk compromising the
data even if only for a very short period.

--
William Tasso