I'm a freelancing web developer and want to offer clients a complete setup of all services, including account creation and service subscription so I can give them the end product without them having the headache of setting up the services. For that I will need their credit card info.
What is the safest way to acquire this info? Communication is done via email, so I was thinking that sending a zipped image with the info might work.
What do you think?
A zipped archive is only helpful if it is encrypted with a password, and the password is not sent via email. As well, the customer would need to ensure they're following the instructions exactly to get it working. Does their OS support the latest encryption algorithms that an external program (i.e Winzip or 7zip) support? If not, you'd also need to walk them through installing the extra programs.
In reality, I see two ways to go about this if you're adament about obtaining their credit card information: through a payment processor, and not-at-all.
Payment Processor (i.e. Moneris, Global Payments, Paypal, etc) take on the security burden, and deal with the encryption required. They will take a small percent off the top, but you will have money, and the customer has security. Win-win!
If you are purchasing services on behalf of a client, I would suggest getting payment up front (and obviously with a bit of markup - what happens if they don't pay you or forget for a month?), and then purchasing the services. If you're doing web hosting, there are many top-tier solutions to manage this part for you (i.e. cPanel).
After the services are running and the client has paid, I would send them instructions on how to add their CC information to the payment portals, removing you from the accounting side of their account.
A BIG WARNING HERE: You mention you only deal with the customers over email? How do you know they're really who they say they are? You are taking a big risk by offering to handle everything for this client without meeting them in person. I would suggest taking a few precautions, such as only getting services for as long as you can afford (for if/when they don't pay), or even using a temporary credit card number (Visa offers this service, not sure about others) that has a preset limit on how much can be spent, even though it goes to your main credit card.
You also do not want to become involved in any sort of scam with stolen credit cards. The less you deal with their credit card on your end, the better. If you can avoid taking the credit card number during the transactions, the better you'll be!
1Password recently released a feature to share a login credential with anyone, you could recommend they setup an account there and then share the card information with you there for X amount of days.
Since we probably can't dissuade you from doing this, the two safest places for a files today are goole and aws.
You can use something like google forms to safely collect that data, just make sure that you keep the answers private and only share the form with the clients.
That way you get:
zip is not encryption, removing the extension is not encryption, that's not safe and someone with IT knowledge (not even a hacker) can crack that open half blind.
now with all of that said, know that you are carrying a HUGE responsibility, if any one of those clients happens to be a victim of fraud and gets their credit cards cloned or find any unusual transactions, they will naturally be suspicious of you.
In the past, when I've done this (rarely)....
All the CC info, i.e. name, expiration, address is sent via email except the last 4 digits of the CC and the CVC security number.
Then a text message is sent with the last 4 digits and CVC number.
If all the information is not in one place, it's more difficult to hijack. If someone were to hijack the email or the text message, they'd be missing critical parts.
I do this for logins as well.. send me a link and username via email.. but text me the password.
