So the customer has entered all his/her details, the payment gateway has subtracted funds (or not) from their card balance. What now?
This is where the credit cards gateways start to differ. All the good ones have a configurable and secret URL where the card gateway server communicates the status of the transaction back to your server. This is critical. You cannot rely on anything being POSTed back via the customer’s browser, yet time and time again I see this. For maximum security, you’ll need to add the gateway’s IP address to an ACL for this URL on your server. The customer’s ‘Thank you for your order page’ (the one that the gateway has redirected the customer to, back to your shop) should do NOTHING but thank the customer for their order.
There are a number of subtleties regards the status of the order at each stage. You don’t, for example, wish to allocate stock to something that has yet to be paid for, even if it might be soon.
If I can help implement a credit card gateway system in your shop, please contact me.