Home Forums Selling online Accept Credit Cards Online – Charge Manually Offline

  • This topic is empty.
Viewing 15 posts - 76 through 90 (of 93 total)
  • Author
    Posts
  • #1132087
    eWAY
    Member
    • Total posts: 524
    Billy744, post: 152472 wrote:
    You know as well as I that this is not a PCI requirement. In many instances merchants are approved to view card details in order to process a charge.

    PCI-DSS requirement 3.3 states PAN must be masked except in certain circumstances as I stated such as needing to access it to provide to police during a fraud investigation. You need to consult a QSA if you want the exact answers on what’s allowed and what’s not.

    I’m one of the staff at eWAY who has been involved in our PCI compliance including being educated on what the correct interpretation of the rules is by a QSA.

    I’m not here as a scaremonger, I’m simply trying to make sure you understand the PCI-DSS correctly as per the industry that created it and the advisors they’ve approved to assess providers against it. I’ll be happy to admit I’m wrong about manual transactions if the gateway you use provides a compliance certificate from a QSA.

    Scrooge, post: 152473 wrote:
    We have had this discussion before – No eway 0.9% transaction fee with eway 1.9% transaction fee – ANZ example – go direct with ANZ 1% saving straight up before further comparison.

    That’s very interesting to hear and I’ll be raising that with our sales manager. I know our agreed rate with CBA for reselling their merchant accounts is 1.4% so 1.9% is very high.

    Maclean

    #1132089
    Billy744
    Member
    • Total posts: 61
    eWAY, post: 152482 wrote:
    PCI-DSS requirement 3.3 states PAN must be masked except in certain circumstances as I stated such as needing to access it to provide to police during a fraud investigation. You need to consult a QSA if you want the exact answers on what’s allowed and what’s not.

    I’m one of the staff at eWAY who has been involved in our PCI compliance including being educated on what the correct interpretation of the rules is by a QSA.

    I’m not here as a scaremonger, I’m simply trying to make sure you understand the PCI-DSS correctly as per the industry that created it and the advisors they’ve approved to assess providers against it. I’ll be happy to admit I’m wrong about manual transactions if the gateway you use provides a compliance certificate from a QSA.

    Maclean

    I have just got off the phone to my merchant services manager at my bank and he has told me PCI does NOT prevent MOTO merchants from performing a charge on a credit card in anyway whatsoever. He laughed at me which made me feel like an idiot considering I have just finished all this stuff with my bank.

    He said one of the key components to being approved as a MOTO merchant is not storing the data in electronic format which I don’t. Using e-Path you can’t anyway.

    He also told me that my “compensating controls” I have by deleting the credit card details the moment the card is transacted is officially classed as “goes above and beyond” (actual PCI term) the requirements of PCI. He said if everyone was doing things manually and no credit cards existed anywhere after transacting there would be hardly any fraud in the world and maybe no need for the PCI in the first place!!!!!

    So there you go.

    #1132090
    Zava Design
    Participant
    • Total posts: 1,463
    Billy744, post: 152147 wrote:
    I hope you are not telling me you would prefer your credit card details to be permanently stored online somewhere rather then giving it directly to a merchant where your card details won’t even exist after the transaction is performed.
    But who says? How do I verify this??

    For me and for many like me I would prefer to pay the merchant directly and know my credit card details won’t exist after processing rather than say goodbye to them as they head off in to the wild internet where they will be permanently stored somewhere.

    And there are many others who would rather trust a well known and reputable payment gateway than some faceless small business merchant.

    I really cant see why you got so aggressive for me suggesting this?

    #1132091
    Billy744
    Member
    • Total posts: 61
    Scrooge, post: 152483 wrote:
    Don’t get me wrong you have a great product that allows people to easily accept online payments without the need for PCI compliance of their site which is no easy or cheap feat.

    Hey scrooge,
    Just interested, do people stay on your website when they enter their credit cards or are they taken somewhere else?

    Reason why I ask this is because if you are with eway, just as an example, and people enter their credit card on your website for it to be processed by eway your website will need to go through the whole PCI compliance certification process which means penetrating testing, scans etc. Your website must be certified as PCI compliant in its own right by an approved PCI scanning vendor.

    This usually means it can’t be on shared hosting.

    I am a manual MOTO merchant and use e-Path so I don’t have to do any of this for my website.

    #1132093
    Billy744
    Member
    • Total posts: 61

    Thanks Scrooge,

    Yes agreed. And you are doing everything right by the sounds of things as far as I know.

    I only ask because I know a number of people who are with eway and their customers enter their credit cards on their own site and it is transmitted off to eway for processing. This is because they want to keep the customer on their site.

    Their websites are all in normal hosting accounts (shared hosting) and don’t have PCI compliance certification on their own, which is illegal under PCI. It means they are taking a massive risk and could even risk getting hit with fines any day from what I read.

    This very issue personally caused me a HUGE panic attack about three weeks ago before I moved to e-Path so I know all about it. I studied it in depth because if I could have avoided having to go with e-Path I certainly would have.

    According to PCI (quote taken from page 5 of PCI DSS v2.0) …

    PCI DSS applies to all “entities that store, process or transmit cardholder data

    So, if you are with eway or any other credit card payment processing gateway and your site is transmitting cardholder data to eway (or any gateway) for processing you absolutely must go through the full PCI certification process for your website.

    Some gateways now offer a remotely hosted (they host it) PCI compliant payment pages where websites move their paying customer to so the customer can enter their credit card details on a payment page already hosted in a PCI compliant environment, this is a fantastic idea as it solves the problem. e-Path do this out of the box with their service so I’m covered. I am sure eway and other payment gateways probably do this too now.

    But for anyone with a website where customers actually enter their credit cards then the site transmits the credit card details to their real time credit card payment gateway then I would suggest you urgently go through the full PCI compliance process for your website.

    It is all about doing the right thing by PCI, way too much risk otherwise.

    Offline compliance I didn’t find all that simple because of the documentation I had to provide, although I agree with you in that the mechanics is basic common sense.

    I have to have a set documented procedure in place that covers how I handle the credit card details and guarantees it is destroyed after processing. But yeh, once the credit card details don’t exist PCI and security become a complete non issue. So for me PCI only covers me having the credit card details, processing it then they don’t exist – a process that only takes a few minutes. Funny when you think about all this PCI stuff when for MOTO merchants it really only relates to three or four minutes.

    #1132095
    Billy744
    Member
    • Total posts: 61

    Thanks Scrooge, but are you totally sure about this?

    My understanding for the requirement for all websites to be PCI compliant if they were transmitting credit card data to anywhere, is because of the known, recognised and high risks associated with Trojans, Malware and the like that can sit even within the actual website software and copy the information being entered by the customer to somewhere else, or even save it to a hidden area and be picked up by the hacker.

    Not a lot pf people realise SSL only protects (encrypts) the actual live connection between the customer and the website, that’s all it does. While the connection between your site and the gateway is of course also secure, SSL has has nothing to do with how safe and secure your actual website software is, the files in it, what exists in your website, how your software works, how safe the server is your website is in, how safe the network is that is connected to your server, or how your software actually bundles up the card data to transmit it in the first place. There is a heap of other stuff to that is beyond me but that’s all where the real risk is and can sit usually undetected.

    Shared hosting is a huge risk in this regards because your website is being hosted on a server maybe with hundreds of other sites too. Who knows what type of vulnerabilities it has or to what extent it has already been exploited.

    PCI compliance scanning is designed to certify your website is safe and secure and is OK to transmit credit card details off to your gateway. It checks for vulnerabilities that can be easily exploited by hackers which can mean credit card details are copied/stolen and you would have no idea its even going on.

    I think this is why PCI is a requirement for all websites that transmit credit card data, irrespective of where the credit card data is being transmitted to.

    #1132097
    Billy744
    Member
    • Total posts: 61
    Scrooge, post: 152523 wrote:
    Hi Billy as mentioned in my previous post.

    Basic vulnerability scanning is also performed before final approval.

    As I said you have to pass lets call it a mini PCI compliant process.

    As an aside no e-commerce or business site for that matter has any business being on a shared host.

    Thanks Scrooge,

    Fair enough. If you have satisfied your bank’s requirements for an e-commerce site transmitting credit card data off your site then I assume you must be covered.

    If something happens down the track and you get in trouble for your website not being PCI compliant certified, then hand that over to your bank, it should be their problem not yours, they would be liable – because you have done exactly what is required by your merchant account provider. You can’t be expected to do anymore than that.

    For me, because I use e-Path, I am so darn pleased I don’t have to worry about anything to do with my website and it being PCI compliant or not now. A huge relief.

    #1132098
    John Debrincat
    Member
    • Total posts: 963
    Billy744, post: 152488 wrote:
    I have just got off the phone to my merchant services manager at my bank and he has told me PCI does NOT prevent MOTO merchants from performing a charge on a credit card in anyway whatsoever. .

    Congratulations Billy you must have a great merchant services manager that you deal with at your bank to take a call after 5PM on a Friday. Regardless of what he has told you and what you have written it is not correct. PCI compliance does not come by phone and it involves all types of credit card transactions.

    Following is from the PCI Compliance FAQs:

    Q: To whom does PCI apply?
    A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

    Billy744, post: 152488 wrote:
    Their websites are all in normal hosting accounts (shared hosting) and don’t have PCI compliance certification on their own, which is illegal under PCI.

    To also address this quote from a previous post. The Payment Card Industry Data Security Standards are not laws so breaching them is not illegal. They are a set of guidelines and requirements and regularly are changed and updated. A merchant using a shared hosting account can be PCI compliant. Any merchant regardless of where they host can undertake a Self Assessment Questionaire and if completed correctly provides validation of PCI Compliance. There is a PCI Security Standards website that is specifically designed for small businesses that can help through the process of understanding. Security companies like COMODO and Mcafee, both Certified Scanning Vendors, also have online resources like COMODO PCI SAQ and Mcafee PCI Certification that merchants can use.

    It makes it a lot easier if the hosting service provider is a PCI Compliant service provider. But for a service provider it does cost money to achieve, requires quarterly scans and annual audits; and requires a PCI Compliant data center as well. But all well worth it if the bulk of your hosting accounts are doing eCommerce like ours.

    You sound like you have a good process on your store so why not post a link in your signature or in this thread I am sure that there are many who would like to learn from what you have done. You can also get some great free marketing for your online store.

    John

    #1132099
    Billy744
    Member
    • Total posts: 61
    John Debrincat, post: 152537 wrote:
    Congratulations Billy you must have a great merchant services manager that you deal with at your bank to take a call after 5PM on a Friday. Regardless of what he has told you and what you have written it is not correct. PCI compliance does not come by phone and it involves all types of credit card transactions.
    Hello John,
    Thank you but they don’t close at 4.00pm. I rang well before 5pm. This site must record time as 1 hour advanced as opposed to normal Australian (Queensland) time.

    And where did you get that PCI comes by phone? I think you may have misunderstood me.

    I needed to ask a particular question after eway said MOTO merchants who enter credit card details manually are operating contrary to PCI because the number should be masked, for example, when I receive a fax order with payment details in it the credit card number should be masked. I became very alarmed at this despite having completed my own PCI compliance less than a week ago. So concerned was I that I did make the phone call, to the merchant services manager who handled my PCI documentation just the week before. He confirmed eway are incorrect.

    John Debrincat, post: 152537 wrote:
    Q: To whom does PCI apply?
    A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

    To also address this quote from a previous post. The Payment Card Industry Data Security Standards are not laws so breaching them is not illegal. They are a set of guidelines and requirements and regularly are changed and updated. A merchant using a shared hosting account can be PCI compliant. Any merchant regardless of where they host can undertake a Self Assessment Questionaire and if completed correctly provides validation of PCI Compliance. There is a PCI Security Standards website that is specifically designed for small businesses that can help through the process of understanding. Security companies like COMODO and Mcafee, both Certified Scanning Vendors, also have online resources like COMODO PCI SAQ and Mcafee PCI Certification that merchants can use.

    It makes it a lot easier if the hosting service provider is a PCI Compliant service provider. But for a service provider it does cost money to achieve, requires quarterly scans and annual audits; and requires a PCI Compliant data center as well. But all well worth it if the bulk of your hosting accounts are doing eCommerce like ours.

    You sound like you have a good process on your store so why not post a link in your signature or in this thread I am sure that there are many who would like to learn from what you have done. You can also get some great free marketing for your online store.

    John

    My wording says “illegal under PCI”. I don’t think others have misunderstood my meaning here.

    I agree with the remainder of your comment. As far as my understanding of PCI goes, yes, if your website stores, processes or transmits card data it must achieve PCI compliance certification from an ASV. However, in dealing with Scrooge the impression I got was he was following what his bank had advised him, hence me answering him like I did.

    No, I won’t be posting a link to my site because of the hostile attitude of some here. The real time payment processing people seem to really dislike the manual method that is starting to become very popular now (would have to be taking business away from them). If I give my website address I imagine I will be hit with possibly a massive number of “fake” orders from the “many who would like to learn from what you have done”.

    So, to accommodate those you say would like to learn what I have done, here is a brief for you …

      I have a system that is beautifully inexpensive
      I am PCI DSS compliant online and offline
      I have stopped anonymous individuals from attempting to blindly process any card they like into my own private merchant account on the internet without me knowing
      I am the one who decides what orders I accept and don’t accept
      I am able to stop fraud attempts straight away before they do any damage
      I have a system that gets the customers credit card details off the internet and away from anything on the internet.
      People can pay me online and after their card has been charged it does not exist anywhere.
      People’s credit cards are NOT being permanently stored electronically online or in any database by the gateway where the cardholder is not even allowed to get their own highly confidential credit card details removed or deleted

    Anytime card data is stored electronically, no matter what type of claimed security exists to protect it, there is always a risk. This is just fact. But with my way, I don’t store it electronically and once the card is charged cardholders know that risk to them simply does not exist. Every single one of my customers is told this and the response has only been overwhelmingly positive.

    So there you go. If you want to be a MOTO merchant, talk to your bank about a MOTO merchant account system (like a virtual POS or mobile phone app – but must be approved for as MOTO), and then get e-Path (http://e-path.com.au) or EGateway (http://egateway.com.au) as your credit card payment gateway (sorry, they are the only two I know of but that’s two more than I knew a few weeks ago!!).

    I would not recommend a manual way if you are doing large numbers of orders and payments per day. However, if you are a smaller merchant wanting total control over what orders and payments your business accepts, don’t mind charging credit cards yourself, want to actively stop yourself from falling victim to fraud, want to keep your merchant account away from the internet and under only your control and you like the idea of saving possibly a small fortune then go for it.

    I am finding it excellent, especially now I am doing things properly and am PCI compliant (I have to admit, I wasn’t before).

    Thanks

    #1132100
    JohnTranter
    Member
    • Total posts: 842
    Billy744, post: 152557 wrote:
    No, I won’t be posting a link to my site because of the hostile attitude of some here. The real time payment processing people seem to really dislike the manual method that is starting to become very popular now (would have to be taking business away from them). If I give my website address I imagine I will be hit with possibly a massive number of “fake” orders from the “many who would like to learn from what you have done”.

    It’s just a polite way of asking you to prove who you say you are, because of your short time on the forum
    i.e. you have a small number of posts, and all of them have been in a thread with the same subject matter

    Some cynical people might think that there are at least 3 posters in this thread with undisclosed commercial interests. Some slightly more cynical people might wonder if those posters are different people.

    #1132101
    Billy744
    Member
    • Total posts: 61
    JohnTranter, post: 152561 wrote:
    It’s just a polite way of asking you to prove who you say you are, because of your short time on the forum
    i.e. you have a small number of posts, and all of them have been in a thread with the same subject matter

    Some cynical people might think that there are at least 3 posters in this thread with undisclosed commercial interests. Some slightly more cynical people might wonder if those posters are different people.

    Hi John,

    OK, now I understand. So here is my story..

    I have been a frequent visitor on and off for some time but have never felt the need to post a message. However, my bank advised me, in no uncertain terms, the way I was capturing credit cards on my website for processing offline was unacceptable and not PCI compliant. I spent over a week, every day studying PCI inside and out and made many calls to the merchant services division of my bank to get clarification about things where needed.

    I didn’t want to be forced in to using an online credit card processing system and lose control over everything, and they are very expensive. Friends of mine use them and they have to deal with fraud payments getting through which causes havoc whereas I can easily spot them as they come in. Heaven knows how much that has saved me.

    I really urgently needed to find out if there was another option. How do people do this and be PCI compliant without being forced to use an expensive real time processing gateway? Hence me signing up as a member and asking my original question.

    A member here called Trudy was the one who suggested to e-Path, which I am very thankful for. I seriously did not know anything like this existed.

    In this thread of mine I quickly learned the real time payment people and those involved in e-commerce that only can do real time processing here don’t like people talking about MOTO merchants – people who do things manually. That’s the impression I have and I’ve been sort of defending myself, my business and my chosen manual method ever since.

    And defend it I most certainly will because I firmly believe it is by far the safest method for sure. If PCI is about trying to keep credit cards safe, then doing it manually where after the charge credit cards don’t even exist, then the manual method 100% nails the ultimate objective of PCI – credit card data can’t possibly be any safer than when it doesn’t even exist.

    But because of what is going on here in this thread and the people who obviously are trying to prove the manual method is “bad” or “unsafe” I don’t think it would be a wise idea to give them my website address. I hope you can appreciate the predicament.

    Anyway, that’s all about me. I am genuine and because I came here I am now set up correctly, still doing things manually and now PCI compliant as well. So I have this site to thank, and a person named Trudy.

    Thanks

    #1132102
    Zava Design
    Participant
    • Total posts: 1,463
    Billy744, post: 152557 wrote:
    No, I won’t be posting a link to my site because of the hostile attitude of some here.
    Who’s hostile attitude?? You’re kidding, right?

    But because of what is going on here in this thread and the people who obviously are trying to prove the manual method is “bad” or “unsafe”…

    Folk are just questioning your selective data you provide, plus that you seemingly want to ignore the fact that manual processing is asking a purchaser to “trust” a merchant they have never met, nor often ever heard of. No one got hostile about the discussion apart from you, and from questions that I as a buyer would be asking, much less as an ecommerce developer. You also avoided addressing the concerns raised.

    E-Path also avoided answering my question about what sorts of checks and balances they have on merchants they provide buyers credit card details to, so you’re not the only one.

    #1132103
    Billy744
    Member
    • Total posts: 61

    You for one. Read back through some of your posts at what you have said to me.

    Manual processing is getting back to ensuring the cardholder is dealing directly with the true business owner who the cardholder has decided to buy from, not some faceless third or fourth party internet based electronic system that’s going to take their credit card details and permanently store them somewhere electronically where the cardholder is told, “no, we have your personally identifiable information (your credit card) details now and we are not allowing you to have them removed from our systems, we will store them for as long as we like”.

    Essentially, this is what happens most of the time but of course the cardholder is not actually told this which I don’t think is right because according to Australian Privacy Laws they have to be informed of this before ANY electronic system seizes hold of their confidential information. But I have not seen one website that uses an online payment processing system that does this. Does yours??????

    It might be OK for you to have this happen to your own credit card details but others, such as my own customers, let me tell you no way in the world. My own customers highly value the fact their credit card details won’t exist anywhere after the transaction.

    If it appears I have been promoting either e-Path or EGateway then my apologies, that was not my intention. But I do think the MOTO method for sure is the better and safer method. No question about that.

    And if e-Path haven’t answered you maybe they just haven’t seen your question. Why don’t you email them or something. It was me who emailed them last week suggesting they should come in here in the first place which I see they decided to do.

    Thanks

    #1132104
    Zava Design
    Participant
    • Total posts: 1,463
    Billy744, post: 152575 wrote:
    You for one. Read back through some of your posts at what you have said to me.
    I did read back.

    Worst that I wrote:
    “It boggles my mind that someone responsible for someone else’s credit card details would contemplate taking such a risk.”
    “And make sure you post the link to your online store(s) here, I want to make sure to not buy anything from them if you’re taking the credit card details yourself, and warn my friends about them too.”

    You:
    “For goodness sake, take time to read and learn please.”
    “Wake up and smell the cofee!!!”
    “CLICK ON THOSE LINKS I POSTED AND LEARN.”

    …plus various other bolded and capitalised demands to me.

    So I’ll ask again, who’s the one being hostile in this thread? I’ll take an apology and we can just move on if you like.

    Manual processing is getting back to ensuring the cardholder is dealing directly with the true business owner who the cardholder has decided to buy from, not some faceless third or fourth party internet based electronic system

    I have no idea who 99.9% of online store owners are. I do know who the well known and trusted online merchants are, the level of security they utilise, and so I can make an informed decision on whether to risk my CC details or not. I can’t make an informed decision on a merchant who I’ve never met before, and have no idea what type of digital and physical security setup they have in place to protect my CC details if they receive them. You seem to dismiss this as a minor or non issue.

    And you seemed to simply ignore my mention that the only time I’ve been a victim of CC fraud was arising from two face to face purchases a few years ago.

    Until you supply figures for total credit card transactions, online and face to face, and the relevant fraud figures for each, then neither of us can say that online is more or less risky than offline/manual, hence it’s down to our own personal viewpoints, rather than anyone “not smelling the coffee”, or whatever other form of abuse or dismissive language you choose to throw at something simply because they don’t agree with you.

    #1132105
    John Debrincat
    Member
    • Total posts: 963
    Billy744, post: 152563 wrote:
    Hi John,

    OK, now I understand. So here is my story..

    I have been a frequent visitor on and off for some time but have never felt the need to post a message. However, my bank advised me, in no uncertain terms, the way I was capturing credit cards on my website for processing offline was unacceptable and not PCI compliant. I spent over a week, every day studying PCI inside and out and made many calls to the merchant services division of my bank to get clarification about things where needed.

    I didn’t want to be forced in to using an online credit card processing system and lose control over everything, and they are very expensive. Friends of mine use them and they have to deal with fraud payments getting through which causes havoc whereas I can easily spot them as they come in. Heaven knows how much that has saved me.

    I really urgently needed to find out if there was another option. How do people do this and be PCI compliant without being forced to use an expensive real time processing gateway? Hence me signing up as a member and asking my original question.

    A member here called Trudy was the one who suggested to e-Path, which I am very thankful for. I seriously did not know anything like this existed.

    In this thread of mine I quickly learned the real time payment people and those involved in e-commerce that only can do real time processing here don’t like people talking about MOTO merchants – people who do things manually. That’s the impression I have and I’ve been sort of defending myself, my business and my chosen manual method ever since.

    And defend it I most certainly will because I firmly believe it is by far the safest method for sure. If PCI is about trying to keep credit cards safe, then doing it manually where after the charge credit cards don’t even exist, then the manual method 100% nails the ultimate objective of PCI – credit card data can’t possibly be any safer than when it doesn’t even exist.

    But because of what is going on here in this thread and the people who obviously are trying to prove the manual method is “bad” or “unsafe” I don’t think it would be a wise idea to give them my website address. I hope you can appreciate the predicament.

    Anyway, that’s all about me. I am genuine and because I came here I am now set up correctly, still doing things manually and now PCI compliant as well. So I have this site to thank, and a person named Trudy.

    Thanks

    Billy no one here will attack you for doing what you believe is correct. I have spent the last 10 years promoting ecommerce and safety online. So your arguments are not new to me at all. Just a little naive.

    There will be no animosity from anyone on this forum if you disclose your website address. But it is really your decision. In my experience the best way to get the message across is to show a good example.

    You like to reference laws like the Australian Privacy Laws but you don’t understand them and are giving incorrect references and therefore advice. The only valid information that you have is what you do yourself for your business and why.

    But for your information, yes we do address this on our websites in the T&C’s and Privacy Policy and yes we do always ensure that card details are deleted.

    We have to make decisions on what payment methods we support as a service provider for online retailers. Each payment method that we integrate take planning, development and maintenance. It is a long term commitment for us that over the years will cost us $100,000 or more in development, maintenance and support for each gateway. So we have a very detailed methodology to look at and review each gateway. We have never been asked to provide e-path integration which says something in itself.

    John

Viewing 15 posts - 76 through 90 (of 93 total)
  • You must be logged in to reply to this topic.