Typically if you're shipping someone a product you won't actually charge their card until you ship the item, so you're correct, in those cases you would just want to do an authorization charge and not do the sale charge until you ship. That's standard practice for sites with shippable merchandise. I deal more with sites for which immediate charges are necessary, like subscriptions, online ad placements, etc., so in those cases you would want to do a sales charge immediately.
Good luck with all this stuff--just make sure your server is EXCEPTIONALLY secure if you're going to be storing credit card information, even encrypted. I have a horror story about this that I won't go into since it involves a former employer, so let's just say even with million-dollar-plus web sites and supposedly knowledgeable security experts, you have to be very, very, very careful.
Matt
------------------------- Matthew P. Woodward [EMAIL PROTECTED] AIM: CaptainJavac http://www.mattwoodward.com
----Original Message Follows---- From: "Bailey, Neal" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Credit Cards - Best Practices Date: Mon, 8 Mar 2004 14:31:48 -0600
Thanks Matt,
Preferably I would like to encrypt the CC numbers but I really don't know how to go about this. Any suggestions? And can I de-crypt the number if needed?
With the Card API that I'm using, it will also give immediate feedback on the pre-authorizing same as a normal transaction. So live feedback I not really an issue. I am just not sure which is better. We sale candles and I'm not sure if it would be right to charge the customer's card if say we are out of stock on something. Usually we process their cards when we ship the merchandise. With that being said, I guess it may not matter as I'm thinking about it, I usually get charged immediately for a magazine subscription even though it can take a month or two to get the actual magazine.
Neal Bailey Internet Marketing Manager E-mail: [EMAIL PROTECTED]
-----Original Message----- From: Matthew Woodward [mailto:[EMAIL PROTECTED] Sent: Monday, March 08, 2004 11:34 AM To: [EMAIL PROTECTED] Subject: RE: Credit Cards - Best Practices
In general when I deal with credit cards I absolutely recommend that unless someone is on a dedicated server in an extremely secure environment (their own firewall, the whole works), they should never store credit card information, even on a temporary basis. You're opening yourself up to too much liability otherwise IMO. Even if you are in a secure environment, you still likely want to somehow obfuscate or encrypt the CC numbers in the database the second they get inserted. If someone hacks in the CC numbers shouldn't just be sitting there for the hacker to see.
In general for retail stuff I do the CC processing right when the buyer hits
the "buy" button, just because then they get immediate feedback if their CC gets declined or if there's some other problem with the order. I can definitely see how if you were doing high-volume stuff the batch processing might be the way to go though. Just depends on the situation. I typically use Verisign Payflow Pro and haven't ever run into any issues with doing one-off transactions, but I haven't done any huge volume e-commerce sites either.
HTH, Matt
------------------------- Matthew P. Woodward [EMAIL PROTECTED]
----Original Message Follows---- From: "Bailey, Neal" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Credit Cards - Best Practices Date: Mon, 8 Mar 2004 11:11:47 -0600
Hello CFers...
I was wondering what are the best practices for credit card processing over the web. Should you pre-authorize a customer's card during check out and then run a batch transaction at the end of the day? Or should you run the card as a final sale and gather the funds immediately. Just as I have heard people doing it both ways and I am in the process of converting my cart over to an automatic Card processor API.
What are the pros and cons of both...
Also I have noticed that many shopping carts store their Credit card info in the database. I have a little utility (MS Access) that transfers the customer's info to my system at home and then deletes all credit card info. This usually runs twice a day. Is there a better way to keep the card info secure?
Thanks Neal Bailey Internet Marketing Manager E-mail: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]
_________________________________________________________________ Create a Job Alert on MSN Careers and enter for a chance to win $1000! http://msn.careerbuilder.com/promo/kaday.htm?siteid=CBMSN_1K&sc_extcmp=JS_JA Sweep_MSNHotm2
----------------------------------------------- To post, send email to [EMAIL PROTECTED] To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org
_________________________________________________________________
Learn how to help protect your privacy and prevent fraud online at Tech Hacks & Scams. http://special.msn.com/msnbc/techsafety.armx
-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org
