I need to take credit card payments with physical cards swiped in an ASP.NET MVC app.
The easiest approach would likely be to have a simple "keyboard-wedge" swipe (USB now days), so that the track data gets sent as keyboard input to a password-type input field.
I have some security concerns with this method, though:
I have some ideas of possibly better options, but I am not sure if they are feasible:
I am looking for some feedback and ideas on good ways (reliable and secure) to accomplish this (I plan to also contact some payment processors to see what I can find out from them).
Thanks.
I have contacted several payment gateways and credit card swipe companies and here is a fairly simple way to accomplish end-to-end encryption with credit card swipes in an ASP.NET app:
1) Use an swipe like an IDTech IDRS series swipe (keyboard wedge type - not HID): http://www.idtechproducts.com/download/swipe-readers/doc_download/166-user-manual.html
2) Send the swipe the the processor / gateway, who will inject their encryption key into the device.
3) After configuring the swipe properly, it will send the swipe data strongly encrypted as keyboard input, which you can then pass from the client-side javascript over to the server, which in turn sends it to the payment gateway, which decrypts and processes the data. The swipe will also send certain portions of the data unencrypted (such as the first and the last 4 digits of the card number).