The real cost is if you do things wrong and lose a credit card
number. IIRC its $50k/incident if you are not in compliance with the
ever changing PCI DSS standard. FWIW, I don't care if you're using
128 bit AES. I care that you are using it correctly, which is not a
trivial thing to do when you consider key storage, rotation, etc.
Very rarely do I find companies using encryption in a safe and secure
manner. Usually its "magic pixie dust" that is sprinkled liberally
into a system because it magically secures it -- at least in theory.
I'm not suggesting you're not doing it correctly, Derrick, just that
many people screw it up badly.
Security is about risk management. If I had a small business, the
risk of losing some credit card data and facing huge fines from the
card companies would be a good enough reason to offload this risk to
someone else. But, at some point you come to a business decision of
when you are big enough to accept the risk and save the extra fees,
etc. that come with some solutions.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Dec 14, 2006, at 8:29 AM, Derrick Peavy wrote:
{sigh}
Dean, thanks for bringing that up, but it's not an issue in this
question. And, not to diminish your expertise in any way, but it's
a little like asking "have you figured in the cost of doing SSL
over TCP/IP into your business. Again, elementary analogy I know,
forgive please. I will explain further below.
Mike:
I've used this solution since 2000. As I stated in the email which
you reference from 2004, this is a solution which removes the
middle man (the gateway) and all associated fees. If by monthly
fees you mean a Visa/Mastercard required minimum, yes, no one
escapes that - no one! What this means is that if you don't do X
amount in combined V/MC transactions each month (whose resulting
fees equal $20), they will charge you $20 in place of the
percentage and transaction fees. If you do X amount, then your $20
min., is waived and you pay the transaction and percentage fees
instead.
Now, as for any other fees, monthly or other, no. The only fee you
pay in this set up is the per transaction fee assessed by V/MC/Amex
and Discover. Currently, my fees are:
V/MC 2.02% per trans, and .28 cents
Amex 3.25% per trans, and (I think) .10 cents
Discover 1.68% per trans, and .10 cents
This is from memory. But here is the number from my accounting ==>
Of all sales income received by Credit Card, divided into total
(all, everything) processing fees, my overall cost for this year is
2.5%. For the cost of CFXNova, I think it's a dam* good deal. Show
me a lower number and I'll.......
Now, let's talk about PCI DSS because Dean brings up a valid point,
if not (in my stupid, retarded and humble opinion) misguided. Here
are the PCI DSS, non enforced, difficult to prove, let's all feel
good about (insert standard here), compliance points:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data -
been there done that.
2. Do not use vendor-supplied defaults for system passwords and
other security parameters - yeah, that was a no brainer
Protect Cardholder Data
3. Protect stored data - done
4. Encrypt transmission of cardholder data and sensitive
information across public networks - done (128 bit Rijndael
encryption)
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software - some argument
here, as it can cause more problems than it solves.
6. Develop and maintain secure systems and applications - done:
SSL, closed ports, per file/script/page security, required log ins,
multiple app checks
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know - Yes, because
Dave in the mail room needs card data?
8. Assign a unique ID to each person with computer access - right.
Or, no let's be stupid and use admin/admin
9. Restrict physical access to cardholder data - not hard to do
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and
cardholder data - yep
11. Regularly test security systems and processes - yep.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security - yep.
Let me add a few more
13. Only store data for as long as is necessary for your business,
balanced with the need for some level of customer support (i.e.:
don't bug the customer for their card when you need to refund
something 3 days later).
14. Use actual human readable log files generated by CFXNova and
store and review on a regular basis to look for fraud.
15. Review each and every transaction, looking for CVV2 and AVS
compliance, if it's suspicious, void, refund or delete it. In some
cases, I've even contacted the issuing bank.
16. Change encryption keys on a regular basis.
Now, how much does all of that cost? Less than 2 hours per month,
if that.
Again, Dean makes a valid point. But more important is to
understand that you have some basic obligation to cover yer arse!
You can store the card data or not. But too often I see people who
think that once a transaction is completed that the card data can
be deleted. Let me give you a nice paradox for your morning coffee.
V/MC tell you not to store the data or at least say that you should
not. Funny. Because six months after a card is processed you may
get a charge back. And, since your "customer" gave you an address
which may not match the card holder address, and since you deleted
the data, you have no way of knowing which transaction is being
disputed because V/MC simply gives you a card number and an amount.
You have fun finding that one!
_____________
Derrick Peavy
Sales and Web Services
Universal Advertising
Phone: 404-786-5036
Fax: 404-370-0470
http://www.universaladvertising.com
http://www.collegeadvertising.com
http://www.collegeclassifieds.com
___________________________________
On Dec 13, 2006, at 4:23 PM, Mike Staver wrote:
I don't know I guess - I had assumed that the CC number got
transferred using this tag and I wouldn't need to store it
anymore, but perhaps I'm wrong. Is anybody using this method
currently?
Dean H. Saxe wrote:
Perhaps I misunderstood. Who retains the credit card data?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or
that we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the
American public."
-- Theodore Roosevelt
On Dec 13, 2006, at 3:34 PM, Mike Staver wrote:
I'm curious to what you mean here - are you saying that Costco
isn't compliant? It was my understanding that this setup doesn't
store the CC but rather uses Costco - but maybe I misunderstood.
Dean H. Saxe wrote:
What about the costs of compliance with the PCI DSS standard?
Figure that into your equation before trying to accept credit
cards.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is
not that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Dec 13, 2006, at 3:06 PM, Mike Staver wrote:
Going way back to 2004 posts here, is there a monthly fee for
this?
Derrick Peavy wrote:
Use Costco with CFXNova
1. Join Costco at executive level ($100)
2. Apply for merchant account ($35)
3. You now have a merchant account for $135
4. Download CFXNova for 30 day trial.
5. With CFXNova, you get 2.2% V/MC @ 28 cents per
transaction. If you can
show me a lower rate, I'll buy you a cup of coffee - you
can't. This rate is
for Internet / Mail Order / Telephone. Swipe rates are as low
as 1.68%.
6. Using CFXNova and coding for certain parameters, you can get
non-qualified rates down to less than 3%. Non-qualified rates
are basically
business cards and most merchants don't tell you that your
non-qualified
rate can be 4% or more.
7. Since you are going directly from your server to the
processor (Nova),
you do not pay a middle man for gateway services as in the
case of
Authorize.net, cybercash or other services.
8. I use this solution. So far this year, my sales are at
just under
$50,000. My TOTAL credit card costs for the year to date is
$1,095.00 or,
2.2% of total sales. That includes everything to do with the
credit card
processing. I can assure you that when the dust settles, you
will not
realize such a low cost with any other solution.
9. You can download a trial of CFXNova at www.cfxworks.com
_____________
Derrick Peavy
Sales and Web Services
Universal Advertising
http://www.universaladvertising.com
http://www.collegeadvertising.com
http://www.collegeclassifieds.com
___________________________________
From: Tom Chambers <[EMAIL PROTECTED]>
Organization: Chambers Systems
Reply-To: discussion@acfug.org
Date: Fri, 14 May 2004 7:48:12 -0400
To: discussion@acfug.org
Subject: Slightly OT: Credit Card acceptence and processing
Good morning all,
Several questions regarding payments via a website.
1) Are fees fixed or a percentage of the transaction?
2) What are some suggestions for the most reliable/
affordable provider of
merchant transaction processing?
3) Any tips on what types of credit cards to not accept (for
any reason)?
Thanks,
Tom
------------------------------------------Unsubscribe from
this list by
sending a message to [EMAIL PROTECTED] with the
word unsubscribe in
the body.
RSVP at http://www.acfug.org
---
[This E-mail scanned for viruses by Declude Virus]
------------------------------------------Unsubscribe from
this list by sending a message to discussion-
[EMAIL PROTECTED] with the word unsubscribe in the body.
RSVP at http://www.acfug.org
-- -Mike Staver
[EMAIL PROTECTED]
http://www.fimble.com
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
-Mike Staver
[EMAIL PROTECTED]
http://www.fimble.com
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
-Mike Staver
[EMAIL PROTECTED]
http://www.fimble.com
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
