I'm working on something that would take payments (via credit card) from within a desktop application. Is that weird? The purchase is for something physical that would be received via real mail (which the application helped make).<p>It's not that it wouldn't be secure or anything like that. I'm not going to store the payment information -- just keep a record that it happened successfully.<p>I suppose I could make it so users would have to buy credits on the website and those credits would show up in the desktop app version as well as online. But that seems like an extra step for some users. I also don't want to hide the real cost of the service from users by saying "$10 is 382 credits and one use of the service is 342 credits" or anything like that. Associating cash cost with the product is fine.<p>Thoughts? Am I over-thinking this?
You're not over thinking it, the web has trained people to trust it with their credit cards, while your application has to establish itself a new.<p>The best thing you can do is mimick the visual cues of browser security and put a big fat golden lock somewhere on the screen, and show other cues of encryption in use (say, show a certificate verification dialog.)<p>Of course, use OpenSSL! This goes without saying. Don't fake security if you're sending sensitive stuff in plain text.<p>Just to be sure your users don't have a keylogger (specially on Win32) provide an on-screen keyboard/keypad and accept input only through that, or encourage it over the actual keyboard. The more security hoops people jump through the better they like it, at least I do.
If you're going the credits route.. why not just say "Your account has $10"? No need to rename it to credits or anything like that.<p>Also, desktop online casino apps seem to open a browser on the payment page. Maybe you could do something like this?
I suppose it comes down to human psychology. People are more used to entering CC info on a secure site (https padlock icon all that) rather than their desktop apps. Maybe the easiest solution would be to send users to a secure URL?