Home – New › Forums › Selling online › Accept Credit Cards Online – Charge Manually Offline
- This topic is empty.
-
AuthorPosts
-
February 15, 2013 at 5:53 am #1132021Up::0
Hey eway,
I am sure what you do is super safe. Please do not think I am saying otherwise.
In a perfect world ALL credit card details stored online or in databases using encryption would be 100% safe and there would be no credit cards being stolen. But you and I know this is not a perfect world. Credit cards are getting stolen from databases all the time. Hackers are getting super clever.
All I am saying is I reckon getting credit cards off and away from the internet from being permanently stored makes them impossible to be stolen. If they don’t exist then they can’t be stolen.
But I wasn’t saying e-Path is the best way, I was meaning any PCI compliant manual method that gets credit cards off the internet and then deletes them once and for all is the best way. It has to be.
For me personally I am more comfortable with doing my transactions myself as far away from the internet as possible. I am in total control over what I accept and charge and after I process the charge the credit card details don’t exist anywhere.
It is also way much cheaper doing it this way for me. I have always liked it.
But yeh, I have considered you (eway) in the past and when I start to do a lot more transactions every day I will for sure give you a call. That’s the only hassle with the manual way, it it hard if you are doing heaps of payments per day. But for only a few transactions a day I really love it, saves me a fortune and is super secure!
Thanks Maclean
Billy
February 19, 2013 at 6:07 am #1132022Up::0Hi Billy,
Totally agree that ideally cards wouldn’t be stored etc, I guess it’s unfortunate that there’s situations where this is unavoidable (recurring billing)
You mentioned e-Path being a PCI compliant solution but I checked their website and they don’t seem to say anything about being Tier-1 compliant or offer a certificate for download, have you been given one by them? The only information I found touched on what the PCI-DSS was, how they use a compliant website scanner (which is a small part of compliance) and how they push their own ‘CDU’ standard instead. This is probably because of this specific PCI-DSS requirement
3.2.2 Do not store the card verification
code or value (three-digit or four-digit
number printed on the front or back of a
payment card) used to verify card-notpresent transactions.For the record, here’s ours – http://www.eway.com.au/docs/compliance-docs/ewaypcicompliancecertificate.pdf
Visa has distinguished eWAY as a Registered PCI DSS compliant service provider. For the complete listing and more information on this registry you may visit the Visa Registry. Note eWAY is listed under its registered name, Web Active Corporation Pty Ltd.
I’m only going in to such detail as I want to make sure you’ve got all the right information about the systems you’re using, especially given your obvious concern regarding security.
Maclean
Billy744, post: 151604 wrote:Hey eway,I am sure what you do is super safe. Please do not think I am saying otherwise.
In a perfect world ALL credit card details stored online or in databases using encryption would be 100% safe and there would be no credit cards being stolen. But you and I know this is not a perfect world. Credit cards are getting stolen from databases all the time. Hackers are getting super clever.
All I am saying is I reckon getting credit cards off and away from the internet from being permanently stored makes them impossible to be stolen. If they don’t exist then they can’t be stolen.
But I wasn’t saying e-Path is the best way, I was meaning any PCI compliant manual method that gets credit cards off the internet and then deletes them once and for all is the best way. It has to be.
For me personally I am more comfortable with doing my transactions myself as far away from the internet as possible. I am in total control over what I accept and charge and after I process the charge the credit card details don’t exist anywhere.
It is also way much cheaper doing it this way for me. I have always liked it.
But yeh, I have considered you (eway) in the past and when I start to do a lot more transactions every day I will for sure give you a call. That’s the only hassle with the manual way, it it hard if you are doing heaps of payments per day. But for only a few transactions a day I really love it, saves me a fortune and is super secure!
Thanks Maclean
Billy
February 19, 2013 at 7:49 am #1132023Up::0Billy744, post: 150080 wrote:I hear what you say bout PCI and security but I’ve always believed it is much more secure doing it the way I am doing it.
And thank god for laws requiring PCI compliance if you really believe this! I shudder when I’ve had clients ask “Can’t we just store the credit card details on the server, or have it emailed to me?” It boggles my mind that someone responsible for someone else’s credit card details would contemplate taking such a risk.February 19, 2013 at 11:26 pm #1132024Up::0eWAY, post: 152006 wrote:Hi Billy,Totally agree that ideally cards wouldn’t be stored etc, I guess it’s unfortunate that there’s situations where this is unavoidable (recurring billing)
You mentioned e-Path being a PCI compliant solution but I checked their website and they don’t seem to say anything about being Tier-1 compliant or offer a certificate for download, have you been given one by them? The only information I found touched on what the PCI-DSS was, how they use a compliant website scanner (which is a small part of compliance) and how they push their own ‘CDU’ standard instead. This is probably because of this specific PCI-DSS requirement
For the record, here’s ours – http://www.eway.com.au/docs/compliance-docs/ewaypcicompliancecertificate.pdf
Visa has distinguished eWAY as a Registered PCI DSS compliant service provider. For the complete listing and more information on this registry you may visit the Visa Registry. Note eWAY is listed under its registered name, Web Active Corporation Pty Ltd.
I’m only going in to such detail as I want to make sure you’ve got all the right information about the systems you’re using, especially given your obvious concern regarding security.
Maclean
Thanks for this Maclean, I got very worried about things after reading your message so I checked up with e-Path and really looked in to this whole issue.
You are right, e-Path are not PCI Tier 1 compliant, they are Tier 2 compliant. I have received their PCI certifications so I am at ease now.
But I asked them about PCI Tier 1 compliance and they told me they fall well under the required yearly transactions number to qualify. They said they want to stick to the regulations and will become Teir 1 when they qualify under the PCI rules. This makes sense to me.
The told me the largest security breach in the history of ecommerce was from a real time credit card payment processing company in the US called Heartland who were fully PCI Tier 1 compliant certified by an external PCI accredited security auditor.
“Yeh, as if” was my first thought. I did some further checking cause I suspected they weren’t being truthful but they turned out to be spot on. About 100 million credit cards were stolen from a database according to Visa and Master Card press releases I found on the net. I also found a few more payment gateways have also been compromised and huge numbers of credit card details were stolen from their secure storage databases.
This is what I’m talking about, had all those customers paid via manual systems which don’t permanently store credit cards online in databases then none of those credit cards could have been stolen in the first place.
This is all news to me, I had no idea about the different PCI “Tiers” before your message but if Tier 1 PCI compliance systems were being compromised like that then I really can’t see anything positive from promoting you are a Tier 1 compliant system. In fact I’d be a little worried if I was using a Tier 1 compliant service myself.
Since your message I have also hunted down the material on PCI and it appears it is not a security standard that guarantees credit card data security. It is a security standard aimed at making credit card data “more” secure, but won’t guarantee it.
This sort of goes back to what I was saying before about the security advantages of taking credit cards off the internet and processing them myself then making sure they don’t even exist after the transaction is performed.
Hackers are getting insanely clever and we are all hearing more and more about things getting hacked now.
I now really have no doubts at all about the manual way as being the safest way. It makes more sense then ever before from a security view point.
February 20, 2013 at 12:04 am #1132025Up::0Billy744, post: 152120 wrote:But I asked them about PCI Tier 1 compliance and they told me they fall well under the required yearly transactions number to qualify. They said they want to stick to the regulations and will become Teir 1 when they qualify under the PCI rules. This makes sense to me.Hi Billy, Heartland were hacked between 2006 to 2008 and it was reported in 2009. The same hacker also hacked 7-Eleven and Hannaford Brothers and the total number of cards number he acquired was 130 million. Since then a lot has changed an if you were given this as an example of security in a PCI Tier 1 company it is just not relevant and I would question why they even raised it if they understand PCI DSS.
PCI DSS have changed significantly since 2009 and compliance requirements have changed significantly since 2009. The hacker in this situation used an SQL injection method to raid data bases and get unencrypted card information. It would be very highly unlikely that situation would occur today. PCI now required encryption and base levels of penetration testing required looks for all forms of SQL injection.
The actual technical issues for tier 1 and tier 2 are no different it is about the process of audit and the reporting and accreditation.
Billy744, post: 152120 wrote:Hackers are getting insanely clever and we are all hearing more and more about things getting hacked now.I now really have no doubts at all about the manual way as being the safest way. It makes more sense then ever before from a security view point.
Manual card processing is a risk and although it suits you to do this the reality is that avoiding access to card data completely is the best course to take.
Hackers are insanely clever that is why PCI DSS requirement constantly change, why we have quarterly (sometime monthly) scans, why we have penetration testing. But hackers are people and it is people who steal card information if you have access to it you open the risk that it will be stolen.
Just so that you understand I don’t really care if you manually process cards. But I would hate some other person reading this thread to think it was a good idea because it isn’t.
John
February 20, 2013 at 12:08 am #1132026Up::0Zava Design, post: 152024 wrote:And thank god for laws requiring PCI compliance if you really believe this! I shudder when I’ve had clients ask “Can’t we just store the credit card details on the server, or have it emailed to me?” It boggles my mind that someone responsible for someone else’s credit card details would contemplate taking such a risk.Yeh, fully agree but I think you are getting what I said mixed up.
I have read around 90% or the words stolen credit card details come from compromised or hacked secure databases or servers where credit card details are permanently stored. But less than 1% come from being actually stolen directly from the merchant.
So let me ask you …
Would you prefer your credit card details to be permanently stored online somewhere and have no hope of getting them deleted, or would you prefer paying the merchant directly where your credit card details won’t even exist after the transaction?
It is a no brainer.
People who pay me know their credit cards won’t even exist after I have performed the transaction. This is the way it has always been with me and now I’m with e-Path it is the same.
This is what I was meaning. To me I really can’t see how there could even be a difference of opinion on which way is safer.
February 20, 2013 at 12:38 am #1132027Up::0Billy744, post: 152134 wrote:I have read around 90% or the words stolen credit card details come from compromised or hacked secure databases or servers where credit card details are permanently stored. But less than 1% come from being actually stolen directly from the merchant.In Australia the Australian Payments and Clearing Association stats are that 71% of card fraud occurs from card-not-present transactions. There are no great stats in Australia on how the card was compromised but from the USA US Dept of Justice for 2012 we get these stats which we can assume are similar for most developed markets.
Percentage of Each Type of Credit Card Fraud
Counterfeit Credit Cards = 37 %
Lost of Stolen = 23 %
No-Card Fraud (i.e. giving card information to a non-legit telemarketer) = 10 %
Stolen cards during mailing fraud = 7 %
Identity-Theft Fraud = 4 %Initial Point of Contact for Fraud
Email = 48 %
Internet Website = 12 %
Telephone = 10 %
Other = 17 %Counterfeit cards and Identity Theft may originate from hacked data but there are also other methods like skimming and manual copying of card data (over the counter, in an office, taxi, hotel etc).
Anytime card data becomes visible it becomes a risk. If you own the card you go to great lengths to protect it, use pins, don’t email card data, good security on your computer, don’t to online transactions in internet cafes etc.
If I put my card information into an online system and then I knew someone at the merchant could see it and manually process a transaction then I would not use that website.
February 20, 2013 at 1:14 am #1132028Up::0John Debrincat, post: 152140 wrote:In Australia the Australian Payments and Clearing Association stats are that 71% of card fraud occurs from card-not-present transactions. There are no great stats in Australia on how the card was compromised but from the USA US Dept of Justice for 2012 we get these stats which we can assume are similar for most developed markets.Percentage of Each Type of Credit Card Fraud
Counterfeit Credit Cards = 37 %
Lost of Stolen = 23 %
No-Card Fraud (i.e. giving card information to a non-legit telemarketer) = 10 %
Stolen cards during mailing fraud = 7 %
Identity-Theft Fraud = 4 %Initial Point of Contact for Fraud
Email = 48 %
Internet Website = 12 %
Telephone = 10 %
Other = 17 %Counterfeit cards and Identity Theft may originate from hacked data but there are also other methods like skimming and manual copying of card data (over the counter, in an office, taxi, hotel etc).
Anytime card data becomes visible it becomes a risk. If you own the card you go to great lengths to protect it, use pins, don’t email card data, good security on your computer, don’t to online transactions in internet cafes etc.
If I put my card information into an online system and then I knew someone at the merchant could see it and manually process a transaction then I would not use that website.
I respect your opinion John but I don’t agree with this at all.
Credit card details in the hands of the merchant is one of the lowest risks of all from what I have been told by my bank (I trust my bank).
But you start to put credit card details on the internet where they are permanently stored in databases or whatever, then you immediately lose control over your own credit card details. You can NOT get them deleted and no matter how secure everything may claim to be there is no possible way anybody can guarantee they will permanently be 100% secure.
Millions of credit card details are being stolen this way. Hackers are even selling stolen credit card details in their tens of thousands online according to Aust. Federal Police.
John, where do you think they get all these credit card details from, a merchant who uses a manual system where after he/she has processed the transaction the card details don’t exist? No. They get them from online credit card storage systems which are internet accessible. We all read about this regularly in the news, it is not a secret.
I hope you are not telling me you would prefer your credit card details to be permanently stored online somewhere rather then giving it directly to a merchant where your card details won’t even exist after the transaction is performed.
For me and for many like me I would prefer to pay the merchant directly and know my credit card details won’t exist after processing rather than say goodbye to them as they head off in to the wild internet where they will be permanently stored somewhere.
On the other side of the coin I can see where you are coming from – unless I as the merchant follow PCI rules in handling credit card data then of course it is a risk, but then again nothing compared to the risk of say a payment gateway who also does not follow PCI rules. I now see this is why we have PCI.
For me there is no better security for my customers credit card details than when those credit card details don’t exist anywhere so we will have to agree to disagree here.
February 20, 2013 at 1:46 am #1132029Up::0Billy744, post: 152147 wrote:I hope you are not telling me you would prefer your credit card details to be permanently stored online somewhere rather then giving it directly to a merchant where your card details won’t even exist after the transaction is performed.What I am saying is that credit card transactions online should be done via a reputable payment service provider that have the correct credentials, security, technology and capability. The merchant should not manually process a card number that has been provided via their website unless that process is via a payment service provider.
Once a merchant records in any way the full card number and CVV then the consumer has no way of knowing what will happen to that information. In fact the consumer does not know it has been manually recorded and processed. So there is a fundamental deception taking place. Why don’t you therefore include a disclaimer in your checkout process and in your T&C’s to tell the consumer that you will manually process the credit card? If you believe it is a safer way then let your customers decide!
Yes there are risk in credit card data being stored online however the PCI DSS requirements and legal requirements of payment service providers correctly mitigate and manage that risk. From the consumers viewpoint there is no mitigation or management of the risk of card abuse when it is manually recorded and processed by the merchant.
It is not a good idea to manually process online card transactions. The proviso that I would add is that if you inform your customers that you are processing the card manually then it would be a transparent process. That would be similar to a card holder providing card information over the phone it becomes the consumers (card holders) choice and not the merchants choice.
February 20, 2013 at 2:11 am #1132030Up::0John Debrincat, post: 152151 wrote:It is not a good idea to manually process online card transactions. The proviso that I would add is that if you inform your customers that you are processing the card manually then it would be a transparent process. That would be similar to a card holder providing card information over the phone it becomes the consumers (card holders) choice and not the merchants choice.Hi again John. Yes that’s exactly what happens now (before I didn’t do this) but it is part of the e-Path system. The consumer is told their transaction is pending approval of the merchant and they are also told the merchant is the one processing the credit card details and that their credit card details will not be stored online or anywhere else after the charge.
Tell me John, does your ecommerce system/sites tell consumers their credit card details will be taken and permanently stored somewhere online or in a database somewhere and they can not have their credit card details deleted from there?
I hope it does because you must tell consumers what you are going to do with their credit card details according to Australian Privacy Laws now. I am sure you are complying with Australian Privacy Laws.
How’s this for an idea, why not give consumers the choice of two payment options ….
1. Transaction attempted immediately online and your credit card details will be taken and permanently stored online in some database somewhere. You will NOT be able to have your details deleted.
or
2. Processed ONLY and directly by the bank approved merchant where after they have processed the charge your credit card details will NOT be stored and will NOT exist anywhere.
Who is their right mind would choose option 1? Certainly not me. I hope you wouldn’t either.
February 20, 2013 at 2:13 am #1132031Up::0The figures you’re throwing around only make sense if you can also provide figures for what percentage of total CC transactions are online v manual/in person.
The only time I or my friends have had any issues are with manually processed cards, either in Australia or overseas (holidays …etc). Only anecdotal of course, but I would prefer to be stored with a PCI level provider. They would also then be liable for anything happening with my card. Try getting that liability with some little store somewhere…
February 20, 2013 at 2:35 am #1132032Up::0Zava Design, post: 152154 wrote:The figures you’re throwing around only make sense if you can also provide figures for what percentage of total CC transactions are online v manual/in person.The only time I or my friends have had any issues are with manually processed cards, either in Australia or overseas (holidays …etc). Only anecdotal of course, but I would prefer to be stored with a PCI level provider. They would also then be liable for anything happening with my card. Try getting that liability with some little store somewhere…
Hackers all over the world who hack in to secure databases and harvest tens of thousands of credit cards are hoping there are other people like you around and things don’t change any time soon.
If you read about PCI and all their supporting documentation (which I have the panda eyes to prove I have over the last three weeks) it clearly states PCI compliance is NO guarantee of 100% permanent security for your confidential credit card details.
So whether you use a PCI compliant gateway or deal directly with the merchant who is also PCI compliant I think you enjoy a much better level of protection but there are still no guarantees with either.
February 20, 2013 at 2:57 am #1132033Up::0Why don’t you post a link to your online store in your signature or in the post as it would be interesting to see how you handle that process.
eCorner is a PCI DSS tier 2 compliant service provider and trust me I understand PCI very well indeed and have paid for the privilege, for a service provider it is a major effort and cost that can take months to initially complete. Then you have to audit every year with an external audit company. Being PCI compliant is just a part of the process and you also have to regularly validate your security and processes. We do not store card data but pass it through our systems to payment service providers but still need to be compliant.
Most good payment service providers will not store the card data after the transaction has been completed. In general that might happen with recurring payments but then there are other security mechanisms that are enabled. Different providers handle recurring payments in different ways.
I will just reiterate what I already have said and that is do not manually process online card transactions.
February 20, 2013 at 3:05 am #1132034Up::0Billy744, post: 152153 wrote:Hi again John. Yes that’s exactly what happens now (before I didn’t do this) but it is part of the e-Path system. The consumer is told their transaction is pending approval of the merchant and they are also told the merchant is the one processing the credit card details and that their credit card details will not be stored online or anywhere else after the charge.Tell me John, does your ecommerce system/sites tell consumers their credit card details will be taken and permanently stored somewhere online or in a database somewhere and they can not have their credit card details deleted from there?
I hope it does because you must tell consumers what you are going to do with their credit card details according to Australian Privacy Laws now. I am sure you are complying with Australian Privacy Laws.
How’s this for an idea, why not give consumers the choice of two payment options ….
1. Transaction attempted immediately online and your credit card details will be taken and permanently stored online in some database somewhere. You will NOT be able to have your details deleted.
or
2. Processed ONLY and directly by the bank approved merchant where after they have processed the charge your credit card details will NOT be stored and will NOT exist anywhere.
Who is their right mind would choose option 1? Certainly not me. I hope you wouldn’t either.
Damn you Bily. I have just checked and you are right about Privacy Laws. This means for all my clients using eway and secure pay I will need to create a pop up on their carts to tell customers what is about to happen to their cc details before they go ahead. Bloody hell.
I have customers using e-Path too so I know the three systems pretty well.
With the e-Path (manual system) the merchant must be PCI compliant to handle cc details in card not present situation. If they are then there is a compelling argument in favour of the manual system if talking just about cc security because cc details no longer exist after transaction. You really can’t arge with the obvious security advantage of that.
But I still prefer putting my ecomerce clients with eway. It is a much better system if they are transating a lot of payjents per day because the merchant doesn’t have to do a thing, everything is automated. Eway are PCI compliant too and are great to deal with.
February 20, 2013 at 3:30 am #1132035Up::0John Debrincat, post: 152160 wrote:I will just reiterate what I already have said and that is do not manually process online card transactions.If given the opportunity I would strongly recommend the manual way, no question about it.
I find the PCI compliant manual way gives me total control over what I charge because it is me who is processing the charge not some expensive online system doing it blindly. The manual way is a lot cheaper, it is much more secure because my customers credit card details are actually being taken off the internet and then don’t exist after processing and I don’t have to have my merchant account sitting on the internet – only I can transact in to my own merchant account!
I personally think the manual way is the way of the future. It perfectly suits me anyway. But I appreciate your business largely promotes the exact opposite.
Anyway, we will have to agree to disagree.
But a footnote to this is if I start to do some real business and the number of transactions start to climb through the roof, I for one will be the first to look at getting eway or some other real time system. There is a point where the manual way would be just too much trouble for me, but in the mean time I really do like doing things this way.
-
AuthorPosts
- You must be logged in to reply to this topic.