I work for a tiny company (I'm the only employee besides the owner) whose website thus far has been maintained primarily for contact and product information. Eventually, it would be nice to add the ability to order through the site, but that is unlikely to happen if it requires much of a sophisticated setup. (We're talking about a technologically-challenged enterprise here; the invoicing system remains implemented in Excel on a Mac Classic.) Probably most orders come over the fax from schools or retailers and are billed later, so it probably wouldn't be worth the expense to set up the site with SSL and complicated e-commerce tools.
For retail customers, though, I might be inclined to reproduce the order form in HTML (a table of products, with quantity boxes). Of course, if this were implemented by offering to call for credit card information, it would probably prove more difficult than just having the customer call in the order in the first place, since you have to take into account timezone differences and the possibility that the customer won't be at the number when the order is received.
So, I was thinking about how most easily to accept the credit card number online, and came up with the idea of using a client-side Javascript to encode the information with a public key encryption scheme, and then sending the entire thing with a sendmail CGI. That way, the clear number would never pass through the Internet. Is there any problem with this concept? I think for this business's purposes, the technique would be preferable to using something like PayPal's shopping cart system.
I see that integers in Javascript have accuracy only up to about 52 bits. That wouldn't be enough for a strong encryption, so are there any quick, easy ways to handle large numbers? Besides that, does anyone immediately see any flaw in the general concept? Who knows if there will even ever be time to work on it (the website is definitely not a priority), but I would like to have an idea of whether I'm justified in believing the security could be adequate. I realize that some people might be disinclined to use online ordering if they don't see the secure connection icon, but I'm not overly concerned about that; for now, I'm more interested in the soundness of the process itself.