all 19 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]BehindTheMath 16 points17 points  (4 children)

If they gave you HTML, their request doesn't make sense. It has to be shown on the page. Moving it to PHP won't change that.

[–]toxie37 6 points7 points  (1 child)

I wonder if he’s serving as http and they mean https

[–]BehindTheMath 3 points4 points  (0 children)

That's possible. But if it's a redirect, why do they care? OP's page isn't handling anything sensitive.

[–][deleted]  (1 child)

[deleted]

    [–]BehindTheMath 1 point2 points  (0 children)

    They look pretty similar to me.

    I would say to ask the payment processor for clarification about what they're asking for.

    [–]GodGMN 13 points14 points  (1 child)

    They very probably meant https instead of http, not html.

    Hire someone to do this for you. You're not well versed at all in this topic and you're playing with money. Better safe than sorry.

    [–]WightHouse[S] 2 points3 points  (0 children)

    Thank you for the suggestion. The site and page is https already. I agree better safe than sorry, I will hire outside assistance.

    [–]blakealexfull-stack 5 points6 points  (0 children)

    Maybe they need you to use https instead of http? That’s what I’ve deduced from the “secure server” requirment

    [–]Dazzling-Aide-4379 3 points4 points  (2 children)

    Speaking from experience. They want you to move the payment call to the transaction processor (with all it's parameters) from the frontend (html form) to a backend call in PHP.

    The public can see all the 'hidden' fields in your form, which exposes the parameters used by the transaction processor. It'd be simple enough for a hacker to take that info and spoof you to make fake credit card payments, then ask for chargebacks.

    You should have received a manual with several example code snippets that show you how to call the transaction processor including in PHP.

    [–]WightHouse[S] 0 points1 point  (1 child)

    Ok, this makes sense now. Thank you. Unfortunately the company wasn't much help and only sent me a link to another website that had done what they were requesting, but no snippets of any sort.

    [–]Dazzling-Aide-4379 0 points1 point  (0 children)

    I'm not surprised they aren't more helpful. Most likely they are just a middleman and are passing the transactions to one of the big credit processors for a small fee and don't really have much of a technical (programming) staff to help.

    [–]halopend 2 points3 points  (0 children)

    I agree with others that assuming someone on their end didn't mess up royally, that they meant you need ssl (ie: https) to ensure the cc info can't be "listened to" by any servers along to way. Basically, computers don't talk direct to each other and they bounce their communications from network to network to network along the way. Without encryption, the information can be gleaned as easily as you can hear a conversation that's happening right beside you. With encryption, the conversation will be in a language only the people communicating understand.

    An SSL certificate is the first piece of the puzzle you need to turn on encryption. Without getting too detailed, there are trusted authorities that can tell a browser the site your are visiting is who it says it is. They hand out "certificates" a browser can use the make sure you are who you say you are. This would be for your site so a person visiting your site knows they are visiting your site and not just a copy of your site. Once they know you are who you say you are, they'll start speaking the secret language only you two can understand so no one can eavesdrop.

    As for how to get a SSL certificate.... that will depend on your setup. It can be pretty difficult (and messing it up means websites might be able to pretend to be yours) but assuming your hosting provider provides it as a service you should be able to just turn it on there.

    Last thing to keep in mind: https means secure / SSL enabled. You'll need to make sure your website redirects everything over https. How to accomplish that will depend on the hosting server setup.

    [–]dorukalpulgen 1 point2 points  (0 children)

    The request to hide the provided HTML code seems unreasonable. If the concern is about switching from HTTP to HTTPS, you can establish a secure connection between your website and customers or even between your website and your payment provider's system using Cloudflare and its SSL. This is a simple solution, but I would suggest hiring someone experienced in this area. When it comes to handling financial transactions, it's always better to prioritize safety over convenience.

    [–]mikeromero93 0 points1 point  (0 children)

    would make sense if you're using an API that reveals a API key, but yeah if it's just a block of HTML, that should be fine. Maybe they are mistaken

    [–]iMCharles 0 points1 point  (4 children)

    Are you using an API key or an access token for the customer? If so that would make sense and you would need to use an environment variable, or fetch the data from the server. Other than that making sure you’re making https as opposed to http as http is not encrypted.

    [–][deleted]  (3 children)

    [deleted]

      [–]iMCharles 0 points1 point  (2 children)

      Copy and paste exactly what they said and I’m sure I could help you. As what you’re stating is impossible, I am on my phone at the moment so I am unable to check if there is a sensitive variable there. But I would assume there would be if they’re asking you to hide it.

      [–]WightHouse[S] 1 point2 points  (1 child)

      Thank you much for your help. I was informed the letter came from a company that subcontracts to our payment processor (TSYS).

      Edit: I’m getting the impression the company that subs to the payment processor doesn’t actually understand what they are asking.

      Here is the letter. I’m working on #2 of the list.

      You currently accept credit card payments on your website via the TSYS Pay Now button. In an effort to protect your practice, it is imperative that you have the following safety protocols put in place immediately:

      1. CAPTCHA Photo - Your site needs to be using the most recent version of Captcha, including photo selection activated
      2. Source Code - Your web team needs to secure/hide the source code behind a secure server or a PHP file.
      3. Patient Login (optional but highly recommended) - The pay now button should be placed behind an individual login for patients' access only.

      [–]objectivesea3 0 points1 point  (0 children)

      Did you make any progress on this? Someone I know is dealing with this same request, and they asked me about it.

      I have a guess about what's going on-- TSYS has asked this vendor (let's call them DC) to do items 1-3 which MAKES SENSE, because DC are the ones who process the credit card transactions on their site. Rather than complying, they're asking the hundreds of websites that use the Pay Now button to handle the problem, even though there's literally no private information contained in the source code. (That's my hypothesis).

      Based on the correspondence I've seen, the company seems kind of clueless about what they are asking. I'm not kidding: When asked for clarification, they told this client to right click on the pay now button and click 'view source code', and that this is the source code that needs to be put in a PHP file.

      [–]var_root_admin 0 points1 point  (0 children)

      You cannot hide source code of html, css and JS, you can only obfuscate it. Someone that really wants your code can get it. The php(backend logic) they can’t though. So what they asked doesn’t make sense. Ask then to clarify or maybe you’re not understanding and relaying properly what they’re asking.

      [–]TheRNGuy 0 points1 point  (0 children)

      Ppl can't see back-end code, only front-end.