Skip navigation
Currently Being Moderated

Credit Cards & Forms

Nov 20, 2011 3:25 PM

Tags: #secure #compliance #payments #pci #e-commerce #shopping #carts

Forum Question:  "How do I get my form to send sensitive credit card data to my  email address?"

 

Forgive the rant, but I've been seeing lots of posts like this lately and frankly it leaves me terrified and irritated.

Terrified for consumers who could be exploited by credit card & identity thieves.

Terrified for site owners who could incur stiff penalties or be put out of business.

Irritated with the fool of a web designer who thinks this is OK business practice. 

 

I've got news for you.  It's not OK to transfer sensitive data by e-mail.  It's not secure.

 

If you're new to web design and need to build a store site for someone, please use PayPal, Google Checkout or one of the  industry approved shopping cart sites.   If you need a recommendation, feel free to post a question in the forum.  People here will be happy to share their opinions & experiences with you.

 

Q: What  is PCI?

A: The Payment Card Industry Data  Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit  card information maintain a secure environment.   Essentially any merchant that has a Merchant ID (MID).

 

Q: To  whom does PCI apply?

A: PCI applies to ALL organizations  or merchants, regardless of size or number of transactions, that accepts,  transmits or stores any cardholder data.

 

Q: What  are the penalties for noncompliance?

A: The credit card companies may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream  till it eventually hits the merchant.  In most cases though, the bank suspends or terminates the merchant's credit card privileges. 

 

I realize jobs are scarce & finding good projects to work on is much harder than it once was.  But that doesn't mean you should ever put yourself, the public and site owners at risk.  If a site owner insists on running his business without a PCI compliant shopping cart to save a few dollars or [insert whatever excuse here], this is a red flag warning you to politely thank them & walk away from the project.  There is no excuse for NOT using a secure payment method.  PayPal doesn't cost much (a small transaction fee) and it's very simple to set up. 

 

PCI Compliance Guidelines & FAQ

     http://www.pcicomplianceguide.org/pcifaqs.php

 

Some Payment Processors to look at ~

PayPal ~ https://www.paypal.com/webapps/mpp/merchant

Google Checkout ~ http://checkout.google.com/sell/?

Authorize.net ~ http://www.authorize.net/

 

Shopping Cart Solutions:

 

Cartweaver

http://www.cartweaver.com/

 

Web Assist

http://www.webassist.com/support/ecommerce-options.php

 

Adobe Business Catalyst ~ Built-in turn-key e-commerce

http://www.businesscatalyst.com/

 

     Shopify

     http://www.shopify.com/

 

     Mals-E

     https://www.mals-e.com/index.php

 

 

Nancy O.

Alt-Web Design & Publishing

Web | Graphics | Print | Media  Specialists 

http://alt-web.com/

http://twitter.com/altweb

 
Replies
  • Currently Being Moderated
    Nov 20, 2011 8:07 PM   in reply to Nancy O.

    Excellent post and very informative except that I have personally had a bad experience with PayPal, and the result is that I will never use them again for anything, including purchases from already established sites.

     

    There are others, including 2Pay which I will use.

     

    The whole post is Spot on though.

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 20, 2011 10:33 PM   in reply to Nancy O.

    Hey Nancy... no problem with the "rant"!!

    I've also dealt with many posts asking how to create this or that type of shopping cart. Will this work or that?

    About the only addendum I would like to add to your excellant post is that when choosing a shopping cart... you SHOULD START at your BANK and work backwards to the Web site.. not the other way around!

    So in other words... don't just choose a third party shopping cart and and expect your bank to accept your choice!!

    Most major third party shopping carts require that you first have a "Merchant Account" at your bank. Your bank will NOT allow that shopping cart to directly connect into it (gee... I wonder why). Each bank will have an approved "gateway" that they use as an interum connection between the shopping cart and the bank. For example:

    http://www.firstdata.com/ecommerce/

    or:

    http://www.authorize.net/

    but each "gateway" only approves/works with certain third party shopping carts.

    So I'd recomend that clients wanting to create a "Shoping Cart" ALWAYS start at their bank and THEN work backwards to their Web site. If a "Merchant Account" is too much... then go PayPal or some non-direct link to your bank. But if the object is to process credit cards and deposit into your bank account (which means you need a Merchant Account)... then you had better start at your Bank and end up at your Web site... NOT the other way around.

    Best wishes,

    Adninjastrator

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 21, 2011 5:51 AM   in reply to adninjastrator

    Another good point! It would seem foolish to invest $300 in Cartweaver, learn the PHP or ASP back end of it, set the whole site up, get an SSL certificate, and put everyhting to the server... only to discover that your business CAN'T do business... with your financial institution that is.

     

    There should be a FULL tutorial out there somewhere that covers all the bases of starting an e-store, not only from a HTML standpoint, but commercial, legal and financial as well.

     

    The idea that someone can go buy Dreamweaver (or worse yet, only download a 30 day trial) and "voila!" they're an instant webmaster, is as foolish as thinking that buying a ticket on a cross-country flight will make someone a pilot.

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 21, 2011 6:51 AM   in reply to Nancy O.

    Hi Nancy,

     

    Nice rant.

     

    If I could just clarify about the shopping cart though. There is no requirement for pci compliance, PROVIDING, (sorry for shouting but!) the cart does not collect ANY user details, (order yes, user details no).

     

    Also for those in the European communities, (EU) if the site designer/developer does not inform the site owner about the requirement for pci compliance, and the requirement to comply with data protection legislation, then it is the site designer/developer that is liable for all costs incurred by the site owner for any breach of said legislations, (professional responsibility). They are also responsible for any breach of advertising standard, (false user policy, advertisement, etc) along with the site owner, (consider this as 'aiding and abetting').

     

    The above legislation was passed at the beginning of this year, (March I think) at the same time as the advertising standards legislation.

     

    The US does have similar legislation but I think this varies state to state, so I cannot give clear details.

     

    PZ

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 22, 2011 9:04 AM   in reply to Nancy O.

    I like to work with 800cart.com

     

    They have a really user friendly setup, and 24/7 live phone or chat support for integration or billing questions/problems.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 8, 2012 3:38 PM   in reply to pziecina

    PCI compliance is of high concern to anyone selling online so you need to take some time learning about it, then work with your host,and you payment gateway provide and in some cases tweak your site to bring things into line. Keep in mind that the whole PCI issue is still relatively new so there are many interpretations. Some merchant account providers will not accept anything short of a locked down dedicated server with all the security you can load up on it and will not pass anything on any shared host. Naturally this is overkill and an over reaction. Others are much more realistic, so it doesn't hurt to even spend some time shopping merchant accounts and PCI certification vendors - and ask others that have gotten their site/s certified.

     

    You can avoid the issue completely by handing off all the transaction to a payment provider, and for some sites this may be the perfect solution. Doing so does interrupt the flow of the check out and introduces the payment provides's branding into the process. Many prefer to have a seamless transaction for the customer. Not to worry, with some diligence you can provide this sort of user experience and be PCI compliant.

     

    Here's a link to a link to a knowledge base article on this topic. 

     

    http://forums.cartweaver.com/topic/pci-compliance-what-you-should-know

     

    Hope this helps

     

    Lawrence Cramer - *Adobe Community Professional*

    http://www.Cartweaver.com

    PHP & ColdFusion Shopping Cart for Adobe Dreamweaver

     

    Stay updated:

    http://www.facebook.com/cartweaver

    http://www.twitter.com/cartweaver

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 8, 2012 4:51 PM   in reply to Nancy O.

    Great rant.

     

    I have done several stores and they're all mounted on Secure servers. I have had several clients of mine request that they receive an email of the credit card number being used in payment. No Thank You! I won't do that. "But what if their card doesn't go through?" Then they'll telephone you if there is a problem. And you can use your terminal or wait for a check to clear.

     

    I do not store any credit card data on my servers. Period. Credit card numbers are destroyed after the session, as well as all other information pertaining to the session. If their own web browser is set up to autofill stuff, that is their own issue.

     

    All servers doing financial transaction have security certificates. All information that might have something to do with a financial transaction, password, etc is encrypted.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 5, 2012 12:02 PM   in reply to Nancy O.

    Unfortunately, it's not enough just to have a security certificate on your servers. If customers enter cc data on your domain, then it has to be PCI compliant.

     

    http://www.mijireh.com/docs/what-you-need-to-know-about-pci-compliance /

     

    Handing off all the transaction to a payment provider doesn't have to interrupt the flow of the checkout, nor introduce the payment provider's branding. For a seamless transaction for the customer (read... better completion rate), check out mijireh.com. It looks as though they are initially a wordpress only solution, but they have an API for integrating with other solutions.

     

    Bobby Smith

    http://mijireh.com

    Your design, Our security

     

    http://twitter.com/mijirehapp

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 15, 2013 1:23 PM   in reply to Nancy O.

    If you decide to use Shopify I recommend you setup an affilaite program to get more sales.  I use OSI Affiliate Software http://www.osiaffiliate.com it is called, but there are other solutions out there.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)