[Hidden-tech] Shopping cart security

[Fred Bliss]

Hi Will & All,

Both of these questions can and should be addressed by a method and 
service hat is built specifically for it.  In this case, a proper 
payment gateway service attached to a Card Not Present merchant account 
is simply the most secure and reasonable way to accomplish these 
requirements.

I'll use Authorize.net as my example.  First, recurring billing is a 
feature that may be implemented for an additional $10.00 per month.  It 
is referred to as "Automated Recurring Billing" or simply "ARB" for 
short.  Secondly, there are various modes of credit card capture 
available.  When you refer to a card being charged immediately, this is 
known as "Authorize and Capture".  Technically, the funds are not even 
withdrawn until batch settlement occurs (as in the case of 
Authorize.net) which happens at the end of the day.  That means that if 
the client needed to void the transaction and did so before batch 
settlement, they would avoid a costly chargeback (a chargeback is a 
(roughly) $30 processing fee to reverse transactions that have already 
"hit" the card, if you will). The end of the day is 4:00pm based on 
Mountain Standard Time for Authorize.net and will vary based on which 
Payment gateway service you use.  That means you would have up until 
6:00pm to reverse a transaction with no additional cost.

If you would prefer to not capture a card immediately, then the mode to 
use is simply "Authorize" and is a standard feature offered by providers 
such as Authorize.net.  Then, once product fulfillment can be 
guaranteed, simply log into the merchant account and capture the payment.

Now, to address the third issue which actually does not seem to have 
been brought up directly - PCI - DSS standards.  This is perhaps the 
most important reason to encourage your client to invest in a proper 
payment gateway service provider.  In the wake major security breaches 
(think of the T.J. Maxx debacle where the billing information of 
millions of clients was stolen), The Payment Card Industry banded 
together to create a universal set of data security standards which 
would help to reduce the risk of credit card fraud and therefore reduce 
the cost of processing credit card transactions.  By working with a 
reputable payment gateway service provider, you are ensuring that 
transactions are meeting these standards.  You should look for a 
provider that is compliant with the latest pci data security standards.

Finally, you must ensure that your e-commerce system does not store a 
full credit card number.  The gateway will do this for you if necessary 
(as is the case with Authorize-only style transactions) though they 
protect that information so that no one could log in and take a 
customer's payment information for their own fraudulent use.  In fact, 
with these standards in place and when they are followed correctly by a 
compliant service provider, they are much more secure than using your 
card in a traditional way, where prying eyes can simply copy your credit 
information when you pay for something!

So, really, the answer to all these questions is quite clear - leave it 
to the professionals and encourage your client not to try and save a 
buck when it comes to payment security and features. The last thing they 
need is to have their card processing services revoked or lawsuits 
because they wanted to save a measly 40 or 50 bucks a month. Gateway 
providers have the functionality needed to run an online business, and 
they worry about the risks of transmitting storing and processing so you 
don't have to.  When you look at the cost of these services, remember 
that they are taking the risk off your shoulders as much as they can, 
and that is a great value for the monthly cost.

For more information on PCI-DSS standards, follow this link: 
https://www.pcisecuritystandards.org/

Regards,

Fred Bliss

 >1. The need to make recurring installment payments on a purchase

 

>2. They do NOT want to use a service that charges the card immediately -
even though it might be more secure - because they need to insure that the
item being purchased (for example, registering for a class) is both
appropriate for and still available. Once approval is made the CC
transaction is run. Clients that have used services that charge the card
immediately in this type of situation report having to reverse up to 25% of
the charges for various reasons, which is a real waste of time.

Will Loving wrote:
>    ** The author of this post was a Good Dobee.
>    ** You too can help the group
>    ** Fill out the survey/skills inventory in the member's area.
>    ** If you did, we all thank you.
>
>
> I've been following this thread with some interest as I'm needing to address
> some similar issues. A couple of reasons why I know some clients might want
> to store the CC information are:
>
> 1. The need to make recurring installment payments on a purchase
>
> 2. They do NOT want to use a service that charges the card immediately -
> even though it might be more secure - because they need to insure that the
> item being purchased (for example, registering for a class) is both
> appropriate for and still available. Once approval is made the CC
> transaction is run. Clients that have used services that charge the card
> immediately in this type of situation report having to reverse up to 25% of
> the charges for various reasons, which is a real waste of time.
>
> If someone has experience with either of these scenarios I would be
> interested in hearing your thoughts...
>
> Will
>
> Will Loving, President
> Dedication Technologies, Inc.
>
>