Dynamo
10 replies to this thread. Most Recent
Taking Credit Card numbers
I have a client with local shop wanting a new site, he is already selling goods online, but only taking the credit cards numbers together with the order, he then downloads the list of orders to process manually on his shop card machine.
Is that advisable? does anyone have any security advice?
It’s okay to take credit card numbers, as long as you do so over an SSL connection (buy a certificate, have your hosting provider set it up, make sure all links in to your secure area start with https://, etc.) and then — this is the most critical part — DON’T KEEP THEM!
Hang on to the numbers for the bare minimum amount of time you need them and then destroy them. The longer you have them hanging around, the larger the window of opportunity for someone to steal them.
Other things you can do to minimize your risk:
- Don’t use a shared host. Use a “virtual private server” or a real co-located server. Somewhere where you can be ‘root’ and nobody else can. A shared server makes it much easier for someone evil to rent an account and then hack into other accounts on the same box.
- Use a real commerce gateway, where you can hand off the card processing to a third party, who assumes all risk.
- Naturally, don’t send card information through e-mail. That’s like writing it on the side of your car in spray paint in terms of security.
It sounds like a pretty bad idea to me, I hope you think long and hard about how to talk your client out of it.
Walter
Freeway user since 1997
It’s so easy to tie into something like PayPal or Kagi, and when you process CCs properly online, NO ONE sees the CC numbers. One can argue that online transactions are more secure because of this, though I understand that systems get hacked too. But like Walter says, if it’s a third party system, your client should not be responsible. If someone gets the CC numbers directly from your client via the trash, breaking into his office, or something like that, then he’d be responsible.
Joe Muscara
Freeway Actions and more t2studios.com/freeway
This is one way of working with the Mals store (www.mals-e.com). When an order is placed the store owner is emailed a simple notification and can log-in to their secure admin area to pick up the order details, card numbers, etc and process the order manually. A MUCH better solution, as previously mentioned, is to link the cart to a 3rd party payment processor who will charge the card for you over a secure link. The store owner never sees the card details and is off the hook for any wrong doing that may happen with the card details. Regards, Tim.
Quoting WebWorker
I have a client with local shop wanting a new site, he is already selling goods online, but only taking the credit cards numbers together with the order, he then downloads the list of orders to process manually on his shop card machine.
Is that advisable? does anyone have any security advice?
Extend Freeway the way you want with FreewayActions.com www.freewayactions.com
Unfortunately the client is insistent he takes the card number to avoid extra charges by processors.
I’ll check out the Mal’s options - will be better than setting up something bespoke as those charges won’t be liked either.
I recommend that you talk to an attorney about this. You may be setting yourself up for liability in the case that you inadvertently build something that leaks. You may need to have your stingy client sign a waiver absolving you of all responsibility and agreeing to defend you vigorously in case of a disaster. I doubt I would take this job under those conditions, and I have been doing commerce online for years.
Walter
On May 29, 2008, at 1:33 PM, WebWorker wrote:
Unfortunately the client is insistent he takes the card number to avoid extra charges by processors.
I’ll check out the Mal’s options - will be better than setting up something bespoke as those charges won’t be liked either.
Freeway user since 1997
I haven’t compared them, but are the “extra charges by processors” really much different from what he pays for processing cards now? All CC processing have some fees somewhere.
I agree with Walter. CYA.
Joe Muscara
Freeway Actions and more t2studios.com/freeway
I’m only at a stage of checking things out to see what if anything is possible. I’ve already told him when he approached me of the liabilities (he’s already doing this process), And might even be already in breach of terms with his current card processor. (He prints off the order with card numbers and put them in his shop until the order is processed !!)
I want him to use a processor for his cards. But I said I would check out if anything was possible keeping it this way. If these is no good way of doing this, then it won’t happen. With me anyway.
Sometime around 29/5/08 (at 14:15 -0400) Joe Muscara said:
CYA.
CYA = Cover Your Ass, also Contact Your Attorney. Same difference. :-)
k
A big concern for CC companies is the CVV2 number on the back of the card (or front in the case of AMEX). Our discussions with our processor, put simply, yielded that they really weren’t bothered that we took phone orders and had to physically right down the CC number for the customer, just that the CVV2 number not be recorded or written ANYWHERE!!
And quite frankly, when asked the simple question of: ‘Wouldn’t I have to note the number in order to manually process the card?’
A typical bureaucratic paradox resulted: - You need the CVV2 number to properly validate the transaction (so the processor trusts that you actually interfaced with the customer), - But you cannot record the number anywhere, even if just for a moment.
I know this point is a very critical matter with having a merchant account in good standing.
With that in mind, it will actually be more likely to be cheaper to electronically process the cards through something like Authorize.net, that can accept the full credentials (cvv2 included) of the customer and more definitively validate the transaction.
FW4/5Pro User
On Thu, May 29, 2008 at 6:33 PM, WebWorker
Unfortunately the client is insistent he takes the card number to avoid extra charges by processors.
If he has the ability to process transactions on-site, he probably already has a merchant account with his bank. The security implications of recording the card number are non-trivial, and as others have said it is against the terms of the merchant account to store the CVV numbers (the ones on the back of the card, used for verification for CNP transactions).
The best thing will probably be for him to talk to his bank, and discuss setting up an internet merchant account with them. See what fees they offer. It may very well be that something like PayPal (Web Payments Pro for example) might be cheaper.
— Finlay
