Credit card info in form that's not processed

My client would like an online form that asks for people’s information, including credit card info. Not to charge on the spot, but to have in case they need to charge it at a later point. It would then be charged offsite, I guess manually. I do not think this is a secure method of getting personal payment info.

What would you suggest is the best method to satisfy the clients needs?

Oooooh, I’ve had this request before.

I had to look into it extensively for a school, that always takes down cc info because too many things change later on in the year with tuition.

From the client’s side, there are aspects they need to have in place. This is not really your problem, but if they’re newish or on the heimish side, it might be good to check. They need a) a very secure place to store this information, and b) they must have legally signed consent anytime they charge the card. The credit card companies/payment gateways may check up on this, so it’s important. If it’s, say, a community kollel with a donor who occasionally says, “I’d like to donate, charge my card” – they can’t just charge it. They must obtain consent.

A user-submitted payment on a website is considered user consent. If the client is charging people from their card info, s/he will need to send them some kind of consent form. You can do this with online signature forms like Docusign, or SignRequest, Adobe eSign, etc.

From your end, it’s sticky. You cannot take cc info through a form that’s not designed for cc info, because it gets stored in your database, sent to email, etc.

In the end, my solution was to integrate a third party API called SendSafely. It sends information in a secure environment so that you can login and copy down sensitive info.

They have cheaper plans if you use their portal (so direct people offsite). The school I was developing for chose to pay for a Business plan so that we could integrate it directly on their website. It looks like an ordinary form, but it’s all sent through SendSafely. (We asked them if we could have a reduced fee because we only needed 2 out of the 10 users, and they made it $60/mo instead of $100.)

This worked out perfectly for the school, and they now use it for other sensitive documents that shouldn’t be passed via email.

There may be other possibilities, particularly if you are willing to go offsite. Onsite, this was the best I found.

Thank you Penina for sharing your research!!! I really appreciate it.

Docusign, or SignRequest, Adobe eSign, etc. - that’s for signatures? can this be integrated into the form on site?

Sendsafely - Can this be embedded in a Wordpress contact form - which ones?

Yes, those are for signatures, and no, they can’t be integrated :frowning:

There are legal requirements for a legally binding signature that is not simple to obtain within a WP form. The best you can do for that is a plugin by Approveme called Wpesign (I think), it integrates with Gravity Forms and maybe some others, not sure.

Sendsafely cannot be integrated into a form plugin. If you’re doing it onsite (the business plan only - the others only allow on Sendsafely’s site), they have some sample js and form code that you can use as a jumping-off point.

For another client with a similar situation…

I just noticed that Gravity Forms has an add-on with their elite plan that allows for signature within the form through a signature field. I wonder if that would be enough legally if there is a note on the form that they are singing to permit usage of the card for later use as needed to pay for the rest of the tuition or camp fees or with more specific details. I will have the client check that out.

My client told be that with usa epay/banquest (not sure which one because they are related). Once a card is charged, they can go into the system and recharge it without needing to get the info from the client again. They don’t know the card info, but the system does.

Therefore if the above signature field is legally satisfying then this would solve the problem - as long as they are charging something to start with. (Otherwise the system won’t have the card info) Unless they can do 0$ now to save it for later. I wonder if that would work…

From what I recall, that signature isn’t legally binding – meaning it won’t hold up in court – but it might be enough for a cc company. Not sure.

I will have the client check it out for themselves and not take responsibility. Thanks!