Taking Credit Card numbers

Legacy Dynamo
1

I have a client with local shop wanting a new site, he is already selling goods online, but only taking the credit cards numbers together with the order, he then downloads the list of orders to process manually on his shop card machine.

Is that advisable? does anyone have any security advice?

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

2

It’s okay to take credit card numbers, as long as you do so over an SSL connection (buy a certificate, have your hosting provider set it up, make sure all links in to your secure area start with https://, etc.) and then – this is the most critical part – DON’T KEEP THEM!

Hang on to the numbers for the bare minimum amount of time you need them and then destroy them. The longer you have them hanging around, the larger the window of opportunity for someone to steal them.

Other things you can do to minimize your risk:

  1. Don’t use a shared host. Use a “virtual private server” or a real co-located server. Somewhere where you can be ‘root’ and nobody else can. A shared server makes it much easier for someone evil to rent an account and then hack into other accounts on the same box.
  2. Use a real commerce gateway, where you can hand off the card processing to a third party, who assumes all risk.
  3. Naturally, don’t send card information through e-mail. That’s like writing it on the side of your car in spray paint in terms of security.

It sounds like a pretty bad idea to me, I hope you think long and hard about how to talk your client out of it.

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

3

It’s so easy to tie into something like PayPal or Kagi, and when you process CCs properly online, NO ONE sees the CC numbers. One can argue that online transactions are more secure because of this, though I understand that systems get hacked too. But like Walter says, if it’s a third party system, your client should not be responsible. If someone gets the CC numbers directly from your client via the trash, breaking into his office, or something like that, then he’d be responsible.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

4

This is one way of working with the Mals store (http://www.mals-e.com). When an
order is placed the store owner is emailed a simple notification and can log-in
to their secure admin area to pick up the order details, card numbers, etc and
process the order manually.
A MUCH better solution, as previously mentioned, is to link the cart to a 3rd
party payment processor who will charge the card for you over a secure link.
The store owner never sees the card details and is off the hook for any wrong
doing that may happen with the card details.
Regards,
Tim.

Quoting WebWorker email@hidden:

I have a client with local shop wanting a new site, he is already selling
goods online, but only taking the credit cards numbers together with the
order, he then downloads the list of orders to process manually on his shop
card machine.

Is that advisable? does anyone have any security advice?


Extend Freeway the way you want with FreewayActions.com
http://www.freewayactions.com

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

5

Unfortunately the client is insistent he takes the card number to avoid extra charges by processors.

I’ll check out the Mal’s options - will be better than setting up something bespoke as those charges won’t be liked either.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

6

I recommend that you talk to an attorney about this. You may be
setting yourself up for liability in the case that you inadvertently
build something that leaks. You may need to have your stingy client
sign a waiver absolving you of all responsibility and agreeing to
defend you vigorously in case of a disaster. I doubt I would take
this job under those conditions, and I have been doing commerce
online for years.

Walter

On May 29, 2008, at 1:33 PM, WebWorker wrote:

Unfortunately the client is insistent he takes the card number to
avoid extra charges by processors.

I’ll check out the Mal’s options - will be better than setting up
something bespoke as those charges won’t be liked either.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

7

I haven’t compared them, but are the “extra charges by processors” really much different from what he pays for processing cards now? All CC processing have some fees somewhere.

I agree with Walter. CYA.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

8

I’m only at a stage of checking things out to see what if anything is possible. I’ve already told him when he approached me of the liabilities (he’s already doing this process), And might even be already in breach of terms with his current card processor. (He prints off the order with card numbers and put them in his shop until the order is processed !!)

I want him to use a processor for his cards. But I said I would check out if anything was possible keeping it this way. If these is no good way of doing this, then it won’t happen. With me anyway.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

9

Sometime around 29/5/08 (at 14:15 -0400) Joe Muscara said:

CYA.

CYA = Cover Your Ass, also Contact Your Attorney.
Same difference. :slight_smile:

k

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

10

A big concern for CC companies is the CVV2 number on the back of the card (or front in the case of AMEX). Our discussions with our processor, put simply, yielded that they really weren’t bothered that we took phone orders and had to physically right down the CC number for the customer, just that the CVV2 number not be recorded or written ANYWHERE!!

And quite frankly, when asked the simple question of:
‘Wouldn’t I have to note the number in order to manually process the card?’

A typical bureaucratic paradox resulted:

  • You need the CVV2 number to properly validate the transaction (so the processor trusts that you actually interfaced with the customer), - But you cannot record the number anywhere, even if just for a moment.

I know this point is a very critical matter with having a merchant account in good standing.

With that in mind, it will actually be more likely to be cheaper to electronically process the cards through something like Authorize.net, that can accept the full credentials (cvv2 included) of the customer and more definitively validate the transaction.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

11

On Thu, May 29, 2008 at 6:33 PM, WebWorker email@hidden wrote:

Unfortunately the client is insistent he takes the card number to avoid extra charges by processors.

If he has the ability to process transactions on-site, he probably
already has a merchant account with his bank. The security
implications of recording the card number are non-trivial, and as
others have said it is against the terms of the merchant account to
store the CVV numbers (the ones on the back of the card, used for
verification for CNP transactions).

The best thing will probably be for him to talk to his bank, and
discuss setting up an internet merchant account with them. See what
fees they offer. It may very well be that something like PayPal (Web
Payments Pro for example) might be cheaper.

– Finlay

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options