*Assuming* you are shipping product immediately, or you are selling
something intangible like memberships that needs no shipping delay, then
you can settle immediately as well. Otherwise I'm pretty sure you are
bound ethically -- and probably legally in at least some areas -- to
auth at time of sale and settle at time of shipment.
Think of what you personally would do to a merchant who charged your
card and then shipped a week later... And think of all the merchants
who swear they would never do this to a customer. By settling and not
shipping you jump to the other side of this fence.
Storing the cc info in the db is Bad News no matter how you slice it.
If you absolutely must you can store the data in a field that uses
public/private key encryption at reasonable (i.e. 1024 bit) strength,
assuming you follow the practices necessary to do that job right. In
other words sacrifice convenience and force people to enter the private
key... Don't leave it on the server (!!!) Any lesser level of
encryption shouldn't even be considered. My personal favorite
encryption tool is cfx_textcrypt. For US$40 or thereabouts you can't
beat it.
As for storing the cards in a db and downloading the info daily, I get
shivers just thinking about it. If you are encrypting the data as
described above I suppose that would be as safe as such a thing can be.
However if you are storing them in the clear, and/or not transferring
the file over secure ftp... Holy failure to perform due diligence,
Batman!
Lastly, you can opt to do it the safest way possible: Don't store the
cc numbers at all. Collect them on your secure form, send them to the
card processing gateway and DON'T store them. There are many who will
say this is the best way, and I think it is. It limits the customer's
liability and, perhaps as importantly, your own.
-----Original Message-----
From: Bailey, Neal [mailto:[EMAIL PROTECTED]
Sent: Monday, March 08, 2004 9:11 AM
To: CF-Talk
Subject: Credit Cards - Best Practices
Hello CFers...
I was wondering what are the best practices for credit card processing
over
the web. Should you pre-authorize a customer's card during check out and
then run a batch transaction at the end of the day? Or should you run
the
card as a final sale and gather the funds immediately. Just as I have
heard
people doing it both ways and I am in the process of converting my cart
over
to an automatic Card processor API.
What are the pros and cons of both...
Also I have noticed that many shopping carts store their Credit card
info in
the database. I have a little utility (MS Access) that transfers the
customer's info to my system at home and then deletes all credit card
info.
This usually runs twice a day. Is there a better way to keep the card
info
secure?
Thanks
Neal Bailey
Internet Marketing Manager
E-mail: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
