So i am thinking of using dibs payment
So i found this node wrapper for: DIBS API wrapper for Node.js
However this would require me to send credit card information through a post request to my node server.
My question is: Is this safe? And if not how to i make sure it is safe? So that the request cannot be hacked by unwanted parties
On
The standard practice for merchants handling CC info, if they do so at all, is (a) encrypted in transit (so unencrypted connections or fallback to unsecure protocols e.g SSL3 must be disabled) and (b) not stored at all anywhere - not in your database, not in any logs; make the transaction and ensure that the full CC info is destroyed or anonymized, e.g. the middle 6 digit replacement with asterisks that you might have seeon often.
The even more common practice is to ensure that you and your systems never ever see full cardholder data, and you delegate someone else to handle the secure processing.
On
I've not used Dibs, but I have used Stripe..
I assume Dibs will do this the same way. This is because you can't accept credit card details over the internet, unless your company has been accredited, and from what I can gather this can costs thousands..
Basically credit card information is NOT sent to your server, but the Javascript library that comes with say Stripe sends the data directly to Stripe (IOW: bypassing your server), stripe then returns a token, this token is then sent to your Server, and it's this token you then use to debit money etc.
This means that there is never any Credit Card information that is sent between you and your user's browsers. It's an important distinction, because unless your accredited it's illegal to store any credit card information on your server, and this includes in memory storage.
A quick look at DIB's, and it appears it doesn't do it this way. So a word of warning, if you handle CC details you better check your local laws on this, it even say's this on DIB's website..
It is the responsibility of the webshop to comply with current legislation. If you are unsure if your webshop contains the required information, please contact your acquirer(s).
Get the above wrong, and depending on what country your from, you could receive a heavy fine, or even worse. :)
Update: like @Peteris has mentioned, DIB's do the hosted option, this then works similar to Stripe, and card details are sent to DIB's, and then DIB's server contacts your site.
They provide so called "hosted payment window" (http://tech.dibspayment.com/D2/Hosted). In such case all data will be sent directly to DIBS without going to your server. It's preferred solution for the most of applications.
In case if you want to send credit card data to your server you will need to make sure that it can not be leaked (see https://www.pcisecuritystandards.org/). It's a big subject (in general, it's mainly about your server and network infrastructure).