Forum Question: "How do I get my form to send sensitive credit card data to my email address?"
Forgive the rant, but I've been seeing lots of posts like this lately and frankly it leaves me terrified and irritated.
Terrified for consumers who could be exploited by credit card & identity thieves.
Terrified for site owners who could incur stiff penalties or be put out of business.
Irritated with the fool of a web designer who thinks this is OK business practice.
I've got news for you. It's not OK to transfer sensitive data by e-mail. It's not secure.
If you're new to web design and need to build a store site for someone, please use PayPal, Google Checkout or one of the industry approved shopping cart sites. If you need a recommendation, feel free to post a question in the forum. People here will be happy to share their opinions & experiences with you.
Q: What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Q: What are the penalties for noncompliance?
A: The credit card companies may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. In most cases though, the bank suspends or terminates the merchant's credit card privileges.
I realize jobs are scarce & finding good projects to work on is much harder than it once was. But that doesn't mean you should ever put yourself, the public and site owners at risk. If a site owner insists on running his business without a PCI compliant shopping cart to save a few dollars or [insert whatever excuse here], this is a red flag warning you to politely thank them & walk away from the project. There is no excuse for NOT using a secure payment method. PayPal doesn't cost much (a small transaction fee) and it's very simple to set up.
PCI Compliance Guidelines & FAQ
Some Payment Processors to look at ~
Google Checkout ~ http://checkout.google.com/sell/?
Authorize.net ~ http://www.authorize.net/
Shopping Cart Solutions:
Adobe Business Catalyst ~ Built-in turn-key e-commerce
Alt-Web Design & Publishing
Web | Graphics | Print | Media Specialists
Excellent post and very informative except that I have personally had a bad experience with PayPal, and the result is that I will never use them again for anything, including purchases from already established sites.
There are others, including 2Pay which I will use.
The whole post is Spot on though.
Hey Nancy... no problem with the "rant"!!
I've also dealt with many posts asking how to create this or that type of shopping cart. Will this work or that?
About the only addendum I would like to add to your excellant post is that when choosing a shopping cart... you SHOULD START at your BANK and work backwards to the Web site.. not the other way around!
So in other words... don't just choose a third party shopping cart and and expect your bank to accept your choice!!
Most major third party shopping carts require that you first have a "Merchant Account" at your bank. Your bank will NOT allow that shopping cart to directly connect into it (gee... I wonder why). Each bank will have an approved "gateway" that they use as an interum connection between the shopping cart and the bank. For example:
but each "gateway" only approves/works with certain third party shopping carts.
So I'd recomend that clients wanting to create a "Shoping Cart" ALWAYS start at their bank and THEN work backwards to their Web site. If a "Merchant Account" is too much... then go PayPal or some non-direct link to your bank. But if the object is to process credit cards and deposit into your bank account (which means you need a Merchant Account)... then you had better start at your Bank and end up at your Web site... NOT the other way around.
Another good point! It would seem foolish to invest $300 in Cartweaver, learn the PHP or ASP back end of it, set the whole site up, get an SSL certificate, and put everyhting to the server... only to discover that your business CAN'T do business... with your financial institution that is.
There should be a FULL tutorial out there somewhere that covers all the bases of starting an e-store, not only from a HTML standpoint, but commercial, legal and financial as well.
The idea that someone can go buy Dreamweaver (or worse yet, only download a 30 day trial) and "voila!" they're an instant webmaster, is as foolish as thinking that buying a ticket on a cross-country flight will make someone a pilot.
If I could just clarify about the shopping cart though. There is no requirement for pci compliance, PROVIDING, (sorry for shouting but!) the cart does not collect ANY user details, (order yes, user details no).
Also for those in the European communities, (EU) if the site designer/developer does not inform the site owner about the requirement for pci compliance, and the requirement to comply with data protection legislation, then it is the site designer/developer that is liable for all costs incurred by the site owner for any breach of said legislations, (professional responsibility). They are also responsible for any breach of advertising standard, (false user policy, advertisement, etc) along with the site owner, (consider this as 'aiding and abetting').
The above legislation was passed at the beginning of this year, (March I think) at the same time as the advertising standards legislation.
The US does have similar legislation but I think this varies state to state, so I cannot give clear details.
Thanks Curtis, Adninjastrator and PZ for your constructive input. All excellent points.
<Start with the bank>
Absolutely. Especially if the Merchant already has POS (Point of Service) -- a brick & mortar shop where the credit card user is standing in front of him.
On-line Merchants need a CNP (Card Not Present) account. Fees for CNPs are somewhat higher owing to greater risk of fraud & charge backs on the internet.
POS Merchants have a Gateway to process credit cards. A physical terminal or box is connected to a phone line or internet cable and used at checkout to approve or decline purchases on the spot. Similarly, on-line Merchants need an internet Gateway to approve or decline purchases. Often the same Gateway company can provide both services.
Finally, On-line Merchants need a Shopping Cart that is compatible with their internet Gateway's protocol.
As PZ said, any shopping cart can collect order details. But only a PCI compliant cart can collect customer data (card holder's name, address, credit card # & expiration date). The level of encryption required for this standard is very high to safeguard customer data as it's being collected, stored and transmitted to the Gateway.
I prefer to hand off customers to a secure payment processing agent like https://PayPal or https://Authorize.net for order completion. It costs a little more but it's much safer for me as a web developer and the site owner who is ultimately responsible for protecting his customer's data. Unless you really know what you're doing, it's much better to let the experts handle this step.
@Curtis, I've had good experiences with PayPal. But other options are good to know about. Especially for non-profits who may not be able to use PayPal. Please post any others you've had good experiences with.
PCI compliance is of high concern to anyone selling online so you need to take some time learning about it, then work with your host,and you payment gateway provide and in some cases tweak your site to bring things into line. Keep in mind that the whole PCI issue is still relatively new so there are many interpretations. Some merchant account providers will not accept anything short of a locked down dedicated server with all the security you can load up on it and will not pass anything on any shared host. Naturally this is overkill and an over reaction. Others are much more realistic, so it doesn't hurt to even spend some time shopping merchant accounts and PCI certification vendors - and ask others that have gotten their site/s certified.
You can avoid the issue completely by handing off all the transaction to a payment provider, and for some sites this may be the perfect solution. Doing so does interrupt the flow of the check out and introduces the payment provides's branding into the process. Many prefer to have a seamless transaction for the customer. Not to worry, with some diligence you can provide this sort of user experience and be PCI compliant.
Here's a link to a link to a knowledge base article on this topic.
Hope this helps
Lawrence Cramer - *Adobe Community Professional*
PHP & ColdFusion Shopping Cart for Adobe Dreamweaver
I have done several stores and they're all mounted on Secure servers. I have had several clients of mine request that they receive an email of the credit card number being used in payment. No Thank You! I won't do that. "But what if their card doesn't go through?" Then they'll telephone you if there is a problem. And you can use your terminal or wait for a check to clear.
I do not store any credit card data on my servers. Period. Credit card numbers are destroyed after the session, as well as all other information pertaining to the session. If their own web browser is set up to autofill stuff, that is their own issue.
All servers doing financial transaction have security certificates. All information that might have something to do with a financial transaction, password, etc is encrypted.
Unfortunately, it's not enough just to have a security certificate on your servers. If customers enter cc data on your domain, then it has to be PCI compliant.
Handing off all the transaction to a payment provider doesn't have to interrupt the flow of the checkout, nor introduce the payment provider's branding. For a seamless transaction for the customer (read... better completion rate), check out mijireh.com. It looks as though they are initially a wordpress only solution, but they have an API for integrating with other solutions.
Your design, Our security
If you decide to use Shopify I recommend you setup an affilaite program to get more sales. I use OSI Affiliate Software http://www.osiaffiliate.com it is called, but there are other solutions out there.