Home – New › Forums › Selling online › Accept Credit Cards Online – Charge Manually Offline
- This topic is empty.
-
AuthorPosts
-
February 20, 2013 at 4:50 am #1132036Up::0DrMegs, post: 152161 wrote:Damn you Bily. I have just checked and you are right about Privacy Laws. This means for all my clients using eway and secure pay I will need to create a pop up on their carts to tell customers what is about to happen to their cc details before they go ahead. Bloody hell.
To the best of my knowledge there is nothing in the Australian Privacy Laws or Privacy Principles that require you to give that information to consumers. However it is very good business practice for an online store to do so during the checkout process and should be a normal feature to have the ability to add that information. Your store should also enforce the acceptance of your terms and conditions before allowing finalisation of the online order. Your issuing bank, card provider and payment provider may also have specific terms regarding displaying logos etc in your agreements with them. You should also include information about your security and card processing in your terms and conditions, and privacy policy. Maybe there is a lawyer in the forum who can provide better guidance.
February 20, 2013 at 5:19 am #1132037Up::0Billy744, post: 152120 wrote:Thanks for this Maclean, I got very worried about things after reading your message so I checked up with e-Path and really looked in to this whole issue.You are right, e-Path are not PCI Tier 1 compliant, they are Tier 2 compliant. I have received their PCI certifications so I am at ease now.
But I asked them about PCI Tier 1 compliance and they told me they fall well under the required yearly transactions number to qualify. They said they want to stick to the regulations and will become Teir 1 when they qualify under the PCI rules. This makes sense to me.
Billy744, post: 152134 wrote:So let me ask you …Would you prefer your credit card details to be permanently stored online somewhere and have no hope of getting them deleted, or would you prefer paying the merchant directly where your credit card details won’t even exist after the transaction?
It’s pretty worrying that they aren’t attempting to reach PCI-DSS Tier 1 simply because they don’t meet the volume of transactions where it’s required, especially given that they’re storing the card number, expiry and cvn. I can’t see this being the way of the future given that for them to be compliant they’ll no longer be able to store the CVN, and VISA/MasterCard have already mandated the usage of the CVN. I’d be very interested to know which QSA certified them given the requirement to not store the CVN. Mind posting up the certificate?
Would I rather use a system where the data is stored within a system that has met and greatly exceeded PCI-DSS Tier 1 or a system that only meets PCI-DSS Tier 2 and won’t attempt to meet Tier 1 until their volume increases?
Billy744, post: 152134 wrote:But a footnote to this is if I start to do some real business and the number of transactions start to climb through the roof, I for one will be the first to look at getting eway or some other real time system. There is a point where the manual way would be just too much trouble for me, but in the mean time I really do like doing things this way.Sounds like eWAY is the way of the future
Just to touch on the point regarding advising customers of storing data etc, you’ll find this will usually be part of your requirements with the bank and at eWAY we provide our merchants with a template to use on their website. I’ve quoted it below for you and you’ll see we encourage complete honesty.
Security Policy
uses the eWAY Payment Gateway for its online credit card transactions.
eWAY processes online credit card transactions for thousands of Australian merchants,
providing a safe and secure means of collecting payments via the Internet.
All online credit card transactions performed on this site using the eWAY gateway are secured
payments.
• Payments are fully automated with an immediate response.
• Your complete credit card number cannot be viewed byor any outside party.
• All transactions are performed under 128 Bit SSL Certificate.
• All transaction data is encrypted for storage within eWAY’s bank-grade data centre, further
protecting your credit card data.
• eWAY is an authorised third party processor for all the major Australian banks.
• eWAY at no time touches your funds; all monies are directly transferred from your credit card to the
merchant account held by.
For more information about eWAY and online credit card payments, please visit
http://www.eWAY.com.auMaclean
February 20, 2013 at 5:24 am #1132038Up::0“it is much more secure because my customers credit card details are actually being taken off the internet”
In your opinion they are more secure. Do you also have the data on how many small businesses that store their buyer’s credit card details manually (for however long or short) get robbed or have someone steal those credit card numbers? I mean, if you want to have the full picture…
And make sure you post the link to your online store(s) here, I want to make sure to not buy anything from them if you’re taking the credit card details yourself, and warn my friends about them too.
February 20, 2013 at 5:27 am #1132039February 20, 2013 at 8:11 am #1132040Up::0Zava Design, post: 152186 wrote:“it is much more secure because my customers credit card details are actually being taken off the internet”In your opinion they are more secure. Do you also have the data on how many small businesses that store their buyer’s credit card details manually (for however long or short) get robbed or have someone steal those credit card numbers? I mean, if you want to have the full picture…
And make sure you post the link to your online store(s) here, I want to make sure to not buy anything from them if you’re taking the credit card details yourself, and warn my friends about them too.
I hope you don’t mind me saying but you appear very selective about what you use in my post to quote.
When credit card details don’t exist it is more secure, immeasurably more secure, absolutely it is. I am surprised you would argue this point.
I have never heard of 40 million credit cards being stolen from a merchant when those credit card details do not even exist after processing. But I have heard of 40 million credit card details being stolen because they were all permanently stored in a database online where each card holder has no chance to get these deleted.
In fact, not only 40 million but hundreds of millions of credit cards are stolen from the internet from being permanently stored in databases.
The way I do things ensures NO credit card details even exist after transaction so I really find it hard to understand why you would prefer customers credit cards to be permanently stored online somewhere where they have no hope of getting their credit card details deleted, as opposed to paying the merchant directly using a manual system where those credit card details don’t even exist after the transaction is done.
Just doesn’t make sense to me.
February 20, 2013 at 8:18 am #1132041Up::0Billy744, post: 152216 wrote:I hope you don’t mind me saying but you appear very selective about what you use in my post to quote.So do you Billy. It would be very interesting to see how you handle the process on your online store so post a link. If you have one?
John
February 20, 2013 at 9:30 am #1132042Up::0This is a really interesting thread please let me weigh in here if I can please.
Maclean:.
From what I know e-Path transport cc data from card holder directly to merchant for processing so that sensitive card data no longer needs to be permanently stored online – in e-Path’s case this is all pre-authorisation stuff. It is the same as a fax machine would or a telephone would, except a fax machine and telephone are not PCI compliant whereas e-Path is.You can see where they are coming from. Permanently storing credit card data online (on servers/databases etc) is the number 1 way credit card data gets in to the hands of criminals.
Like I said in my other post in another thread, it is permissible to store the cc details including the CVV ONLY up until the point the payment is processed/authorised. Merchants now MUST have the CVV so they can enter it so they can charge the card, this is a new bank regulation that says the CVV must now be entered along with the credit card details.
So up until the payment is processed/authorised it is OK as long as you handle that data in compliance with PCI requirements. Here is an actual quote from PCI DSS 2.0…
Section 3.2: “Do not store sensitive authentication data after authorization (even if encrypted)
Sensitive authentication data consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive authentication data after authorization is prohibited!”
But once the card is processed/authorised the CVV data must not exist anywhere or be stored anywhere. With a manual system where you handle things in compliance to PCI not only does the CVV data not exist after the merchant has processed the card but the entire card details don’t exist either. Trust me, this is not a negative.
As for e-Path’s PCI compliance maybe you should direct any questions about this to them. But from what I hve learned there is nothing wrong wth PCI Tier 2 compliance. And Billy is correct – whether PCI Tier 1 or 2 it still is no guarantee the credit card data is permanently secure.
PCI Tier 1 compliance does not magically mean credit card data being permanently stored is suddenly 100% guranteed permanently secure. The PCI Security Standards Counil in the U.S. will confirm this.
Zava:
Sorry but I also find it hard to understand why you appear so negative about a method that ensures your credit card details don’t exist after processing.Billy:
You said the manual method is “the way of the future”! Umm, I don’t think so mate. Procesing manually offline can be real time consuming and a pain for many businesses.I hear what you say about your manual method and using e-Path and yes, there are good arguments in favour of the manual method (which you have covered a few times now) but there are also many advantages of the automated online processing system too.
In my experience the manual method and the real time procesing system do not compete. Usually when a client of mine starts to do more than ten transactions per day I get them to switch to eway (or secure pay) if they are with e-Path.
I think the debate going on here is healthy because it highlights how important all of us view security but lets not fall in to criticising one system or the other.
Any suggestions about the manual system being better than the automated online processing system or visa versa is just stupid. It is a pointless argument. They are two totally different methods. They both are PCI compliant and both appeal to different businesses for different reasons. They each have their advantages and disadvantages.
At the end of the day I’m sort of pleased we all have a choice of two methods now.
Anwyay, I hope people don’t mind me weighing in here.
Thanx
February 21, 2013 at 2:06 am #1132043Up::0DrMegs, post: 152228 wrote:Zava:
Sorry but I also find it hard to understand why you appear so negative about a method that ensures your credit card details don’t exist after processing.
How do I know they don’t exist after processing? I should take some stranger’s word??Or should I have a little more faith (you’re taking a risk using a CC at any time, just as you do stepping out your front door every morning) in a process where I know there’s a minimum security requirement BY LAW?
Neither seems perfect, nothing outside of using cash really is, but I know which I’d rather take a risk with. And which I would advise any client. In all seriousness, if I had a client who insisted on taking credit card details manually even after my advice, unless they’re prepared to set up a whole process that was PCI compliant, I would refuse to do the work, and when their site was launched I would submit a complaint to the relevant government/consumer body to investigate.
February 21, 2013 at 2:08 am #1132044Up::0DrMegs, post: 152228 wrote:They both are PCI compliant and both appeal to different businesses for different reasons. They each have their advantages and disadvantages.
Taking someone’s details via a website is not PCI compliant unless the whole process is, including the server security. Which is unlikely to be the case for small businesses as the cost for this part would be exorbitant for them. Especially if they’re already complaining about the fees involved in the better online payment processors.February 21, 2013 at 5:23 am #1132045Up::0DrMegs, post: 152228 wrote:This is a really interesting thread please let me weigh in here if I can please.Maclean:.
From what I know e-Path transport cc data from card holder directly to merchant for processing so that sensitive card data no longer needs to be permanently stored online – in e-Path’s case this is all pre-authorisation stuff. It is the same as a fax machine would or a telephone would, except a fax machine and telephone are not PCI compliant whereas e-Path is.You can see where they are coming from. Permanently storing credit card data online (on servers/databases etc) is the number 1 way credit card data gets in to the hands of criminals.
Like I said in my other post in another thread, it is permissible to store the cc details including the CVV ONLY up until the point the payment is processed/authorised. Merchants now MUST have the CVV so they can enter it so they can charge the card, this is a new bank regulation that says the CVV must now be entered along with the credit card details.
So up until the payment is processed/authorised it is OK as long as you handle that data in compliance with PCI requirements. Here is an actual quote from PCI DSS 2.0…
Section 3.2: “Do not store sensitive authentication data after authorization (even if encrypted)
Sensitive authentication data consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive authentication data after authorization is prohibited!”
But once the card is processed/authorised the CVV data must not exist anywhere or be stored anywhere. With a manual system where you handle things in compliance to PCI not only does the CVV data not exist after the merchant has processed the card but the entire card details don’t exist either. Trust me, this is not a negative.
As for e-Path’s PCI compliance maybe you should direct any questions about this to them. But from what I hve learned there is nothing wrong wth PCI Tier 2 compliance. And Billy is correct – whether PCI Tier 1 or 2 it still is no guarantee the credit card data is permanently secure.
PCI Tier 1 compliance does not magically mean credit card data being permanently stored is suddenly 100% guranteed permanently secure. The PCI Security Standards Counil in the U.S. will confirm this.
I agree, there’s no magic behind PCI Tier 1 that isn’t behind Tier 2. The major difference is that Tier 1 requires the audit to be completed by a QSA (who is registered with, and approved by, the PCI) where Tier 2 allows the company to perform its own audit (and hence interpret the rules as they see fit, not how the PCI has approved them to)
The wording in the document is a little ambiguous and is down to interpretation. By yours, I can take a customers credit card number, expiry and CVN and write it down on a piece of paper and sticky tape it to my shopfront counter. As long as I destroy that piece of paper after I process the transaction (which could be a week later) I’m PCI compliant. I spoke with our security team regarding this point and their response was that although worded that way, you will never find a QSA that interprets it that way. You must NEVER store the CVN, and you’ll see by the testing procedures for point 3.2.2 that it cannot exist
3.2.2 For a sample of system components, examine data sources,
including but not limited to the following, and verify that the threedigit or four-digit card verification code or value printed on the
front of the card or the signature panel (CVV2, CVC2, CID, CAV2
data) is not stored under any circumstance:
Incoming transaction data
All logs (for example, transaction, history, debugging, error)
History files
Trace files
Several database schemas
Database contentsAdditionally, point 3.3 specifies use of the PAN (the card number) stating
3.3 Mask PAN when displayed (the first
six and last four digits are the maximum
number of digits to be displayed).It is noted that where there is a specific business case it is permissible however again, this is for interpretation and a QSA will not approve this unless the business case is extreme (such as requiring to provide data to police etc in a fraud investigation)
This is why I’m interested in how the compliance was met. Was it a self assessment or performed by a QSA?
Zava Design, post: 152296 wrote:How do I know they don’t exist after processing? I should take some stranger’s word??Or should I have a little more faith (you’re taking a risk using a CC at any time, just as you do stepping out your front door every morning) in a process where I know there’s a minimum security requirement BY LAW?
Just wanted to step in here that ‘by law’ is not correct. PCI-DSS isn’t a law, they’re standard you must follow and meet to be given access to Visa/MasterCard networks. I guess there would be laws involved if you had data stolen (like some kind of negligence laws etc) but PCI-DSS is not a law.
Zava Design, post: 152297 wrote:Taking someone’s details via a website is not PCI compliant unless the whole process is, including the server security. Which is unlikely to be the case for small businesses as the cost for this part would be exorbitant for them. Especially if they’re already complaining about the fees involved in the better online payment processors.I believe E-Path is handled offsite, so PCI compliance of the actual acceptance of the card comes down to their own policies however as I mentioned above, I’m interested in who carried out their compliance audit.
Maclean
February 21, 2013 at 5:45 am #1132046Up::0Zava Design, post: 152297 wrote:Taking someone’s details via a website is not PCI compliant unless the whole process is, including the server security. Which is unlikely to be the case for small businesses as the cost for this part would be exorbitant for them. Especially if they’re already complaining about the fees involved in the better online payment processors.Where my website is hosted has nothing to do with storing or transmitting to me any credit card details. You have it wrong.
Cost of PCI compliance is very cheap for me as a small business. I just need to follow and commit to the PCI rules in how I handle credit card data in a card not present situation such as when taking orders and payments over the phone, by the fax machine or via e-Path. Do the right thing and it is simple, low cost and is super secure.
If you are suggesting that hijacking peoples credit card details and permanently storing them on the internet in databases or on servers where card holders are denied the opportunity to have their own card card details deleted is “better” then thank goodness I don’t deal with you. Heaven help your customers if that’s the sort of security you believe in.
February 21, 2013 at 6:25 am #1132047Up::0Billy744, post: 152325 wrote:Where my website is hosted has nothing to do with storing or transmitting to me any credit card details. You have it wrong.Cost of PCI compliance is very cheap for me as a small business. I just need to follow and commit to the PCI rules in how I handle credit card data in a card not present situation such as when taking orders and payments over the phone, by the fax machine or via e-Path. Do the right thing and it is simple, low cost and is super secure.
If you are suggesting that hijacking peoples credit card details and permanently storing them on the internet in databases or on servers where card holders are denied the opportunity to have their own card card details deleted is “better” then thank goodness I don’t deal with you. Heaven help your customers if that’s the sort of security you believe in.
One quick point I’ll make here (and by the way, I really do commend your interest in card security) is that there is a massive difference between being stored in a database and being stored ‘on the internet’.
For example, eWAY’s compliance requires the database servers to have no Internet access at all. The request comes in through web servers and is routed through various firewalls, routers, encryption devices etc before being stored in the database servers. Once they’re a certain depth in to the network they are not accessible via the Internet. If the card data is to be used again, the request that comes in will use a token that represents that record (which cannot be used to retrieve the number) that tells the system to use that data to process a transaction, which happens locally, before firing off through the relevant bank connection etc.
Maclean
February 21, 2013 at 6:35 am #1132048Up::0Hello McLean,
You seem to be trying to argue against all card not present credit card payment processing methods, perhaps because if everyone started to do it manually you’d be out of business in a flash. So I can see where your motivation is.
But this is no excuse to try and put down the manual method or those who do things manually like me and handle credit card details in a way they are suppose to according to PCI.
Taking orders and payments over the phone, via the fax machine and other card not present methods such as e-Path is not new. All those ways obviously now require me to handle credit card details securely and in a way which is compliant to PCI. It is not rocket science nor is a conspiracy against hugely expensive third party live processing services like yours. It is just a safer, less expensive way, that’s all.
I mean have you seen the range of bank supplied virtual pos merchant accounts out now, or how about the latest bank mobile phone apps that allow me to enter credit card details myself to charge the card. These are pretty reasonable in cost and people deal directly with their own bank for these services instead of a third party “middle man” service like yours. Next you’ll be saying all this a “bad” and against PCI.
I receive many faxed orders with payment details correctly filled out and there is nothing that tells me the person faxing me the order has to cross out a quantity of numbers of their credit card. Nor when I receive a phone order with payment. And yep I have even rang my bank to double check after reading what you say.
If you are going to suggest a scenario that tells of a merchant not being PCI compliant in their handling of credit card details “write it down on a piece of paper and sticky tape it to my shopfront counter” and ponder the result, then lets also use an example of a hacker being able to break in to your database where all credit cards are stolen because it was also not handling credit card details in compliance to PCI. Which one would have the most catastrophic results???
You see? It is totally pointless saying these types of things because none of it is true.
As for things about e-Path, why don’t you ring them up and ask them instead of asking me or anyone else? I’ve only come across them in the last three weeks and their service perfectly fits in to how I do things.
And for the record, yes, I am PCI compliant and after I process my customers credit cards they don’t exist anywhere – they are certainly NOT being permanently stored somewhere in a database with no chance of the rightful card holder getting their own credit card details deleted, thank you very much.
February 21, 2013 at 6:49 am #1132049Up::0Billy744, post: 152325 wrote:I just need to follow and commit to the PCI rules in how I handle credit card data in a card not present situation such as when taking orders and payments over the phone, by the fax machine or via e-Path. Do the right thing and it is simple, low cost and is super secure.Yes the operative process is very important. When people call you and leave card details or fax you with card details then they know you are manually processing the card and have their card details which you might retain.
However when they enter a card online most consumers believe that it is being processed in real time and not; 1. stored 2. forwarded and 3 manually processed. So you mentioned that you explain that to your customers in the payment process. So that must vary from the e-path demo because they do not explain that at all during the payment process.
The other thing that bothers me is this quote from their site;
“– NO expensive SSL and IP address to purchase for your website
— Become instantly PCI compliant online”Having an SSL Certificate is not just about the payment process it is there to protect all personal and sensitive data. So recommending that a SSL is not needed worries me. That means personal information is potentially not protected and transmitted unencrypted..
The second part is that you become “instantly” PCI compliant – that is total rubbish. PCI DSS compliance is not just about handling the card data on the website it also is about how you handle it in your organisation. For example these requirements:
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder dataI don’t know but to me there seems to be some badly thought through and misleading information on their website.
February 21, 2013 at 7:58 am #1132050Up::0John Debrincat, post: 152337 wrote:Yes the operative process is very important. When people call you and leave card details or fax you with card details then they know you are manually processing the card and have their card details which you might retain.However when they enter a card online most consumers believe that it is being processed in real time and not; 1. stored 2. forwarded and 3 manually processed. So you mentioned that you explain that to your customers in the payment process.
I’ve been in to test my own new system as a customer and my gateway system clearly says “Transaction Status: Pending merchant approval”. This is exactly what I want it to say because it is the truth. Also, e-Path send out an email to the customer that says exactly the same thing. There is no grey area it is black and white.
This brings me to the other huge advantage of the manual system. Doing things my way nothing is attempted to be processed online blindly without me knowing like it would be with a real time online processing gateway. I am the one who decides what orders I accept for my business. The idea a third party service company is making that important decision for me is ridiculous and hugely risky. This is one of the main reasons why I do things manually.
John Debrincat, post: 152337 wrote:The other thing that bothers me is this quote from their site;“– NO expensive SSL and IP address to purchase for your website
— Become instantly PCI compliant online”Having an SSL Certificate is not just about the payment process it is there to protect all personal and sensitive data. So recommending that a SSL is not needed worries me. That means personal information is potentially not protected and transmitted unencrypted…
It is not my job to defend a company from your criticism no matter if I use them or not. But I don’t think you are being very accurate there. This is a copy and paste of what I found from their Q and A page…
“Q. My bank insists I need an SSL, but you say I don’t. I’m confused.
A. Your own exclusive e-Path gateway already has SSL. When you use e-Path your website does not need another SSL because your website has nothing to do with handling credit cards. Your bank may be getting mixed up, please point them to this website. Be mindful it is a requirement placed upon merchant account providers (banks) by the card vendors themselves (Visa, MasterCard etc.) that the bank must confirm an SSL is protecting things when credit card details are entered on the internet. They are doing the right thing by wanting this confirmed – send your bank the URL (web address) of your secure and exclusive e-Path gateway for them to become satisfied.But having said that, it is simply good practice to have your website protected by SSL. Some newer versions of browsers now alert a customer when they move from a secure (https) location back to a website that is not secure (http). We would recommend installing an SSL on your website to ensure the connection remains encrypted even after e-Path has done its job and returned the customer to your site. This way the online customer’s browser will not show a warning message because they will be moving from one SSL protected location to another SSL protected location.“
So there you go. From what I can see they are being very responsible in what they say.
John Debrincat, post: 152337 wrote:The second part is that you become “instantly” PCI compliant – that is total rubbish. PCI DSS compliance is not just about handling the card data on the website it also is about how you handle it in your organisation. For example these requirements:7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder dataI don’t know but to me there seems to be some badly thought through and misleading information on their website.
Look John, I’ve been through things with a fine comb over these last three weeks because of the warning I received by my bank. I chose e-Path and I am now more than happy with the service they provide me. My bank is happy too.
Your claim it is “total rubbish” when they say “Become instantly PCI compliant online” is itself total rubbish. I am sorry mate but what they say is 100% true. Everything I do online is already PCI compliant because it is NOT my hosting account touching credit card details. My gateway is not mine, it is located on the PCI compliant server of e-Path so to say it is suddenly not PCI compliant because I’m now using it is either just plain foolish of you or you just don’t know what it is about.
I think what you mean to say is PCI compliance is about what I do online PLUS what I do offline. That would make more sense because that would be correct. I have my bank’s advice and e-Path’s advice about how I need to handle credit card details from a card not present payment (from over the phone, by faxed order and payment and e-Path) and let me tell you I handle things 100% like I am suppose to – in compliance to PCI.
Where do warn your customers their credit cards are going to be permanently stored in a database somewhere?? And most importantly of all, where do you warn your customers they will never be able to get their own highly confidential credit cards deleted from any of the gateways you use on your sites? You need to let your customers know they will completely lose control over their own highly confidential credit card details if they pay on any of your sites using any type of real time processing system. You want to tell them the truth don’t you … or do you want to keep this critically important truth secret from them?????? . All card holders have an absolute right to know this so TELL THEM.
-
AuthorPosts
- You must be logged in to reply to this topic.
