Originally Posted by wige

If your client is an affiliate/reseller/etc of Carnival, where their site only collects the transaction information before passing it on to Carnival who will process and complete the transaction, I would check with Carnival to find out if they offer a web service (a secured Ajax interface that financial data can be sent through) that you could use. In this scenario, the user would fill out the order form on your web site, then when they submit the data, your site would store the customer's contact information and order details locally, and forward the financial and contact details to Carnival through the web service.

I have set up a system like this on one of my own sites, where because of the nature of product that is being sold we need to verify inventory status before processing the transaction and thus could not use a traditional payment gateway, so we use a web service over https to transmit the financial information to a service provider before completing the sale. No financial data is ever stored on our own server.

Please note, if any financial data will be "touching" your web site - this means that the data is sent to your server, even if it is not stored there - there is a very high standard of security that you have to meet. For example, the credit card number must be heavily encrypted, the entire server must be scanned for vulnerabilities regularly, and it is a federal crime to store CVC codes on the same server as the credit card number. Failure to meet the standards could result in losing your ability to process credit cards, and could result in prosecution. Your payment provider should be able to give you information on the security precautions you need to meet. That provider may also be able to offer you additional suggestions to handle this situation if Carnival does not have a secure web service available.