1. Make sure your cart page uses an SSL Certificate to encrypt the transmission to your template(s).
2. Merchant accounts themselves designate if you can authorize then batch/capture or simply authorize/capture. The industry standard is as follows: If you can ship within 24 hours of the order receipt, you can authorize and capture at the same time. If as the rule you have to wait longer to ship, then you have to pre-authorize the card and then capture the card individually or in batch when you ship. When you applied for your merchant account they would tell you their rules/guidelines.
3. When you receive the credit card via the secure screen and either pre-auth or capture the card you may want to save the last 4 digits of the card, but you don't need it for anything else except possible 'account reconciliation' so what is the point in saving the credit card at all. There is none. You should receive a transaction number and authorization number from the merchant processor and that is all you need.
4. For batching, your credit card processor has the card number, under their security with a transaction number. You batch it when you ship; so you don't need the full card number then either. This offers you and the client the most protection. Most processors offer a secure login to their system for you to be able to perform returns and batches and other activities. Verisign's Payflow system offers such a system. And there is a CFX to interface with it.
5. If your merchant does not offer a system like this, see if you can batch transactions with the 'pre-authorization' number and/or transaction number. Then you only store these numbers and again not the credit card number.
6. If you have to have the credit card number because you are running it manually through a pos or card system, then have your database on a machine behind a firewall or other protection.
7. If anybody but you has access to your database, if it is out of your physical possession it is susceptible to intrusion; that includes your own office or at a hosting facility.
Bob Coalter
InterNet Partners, Inc.
www.internet-partners.com
Yeah this is kind of how I think& But at the same time I want to stream line the process as it s only me and my wife running this biz. And trying to keep up with who ordered what and when are some times confusing. But I am working on a new backend that will hopefully make things easier to manage. I was going to just buy another shopping cart but when I looked at all the different CF Carts I decided to just build onto mine and create a better backend as I really like my front end.
Neal Bailey
Internet Marketing Manager
E-mail: [EMAIL PROTECTED]
From: Kevin Barber [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 08, 2004 11:59 AM
To: [EMAIL PROTECTED]
Subject: RE: Credit Cards - Best Practices
Neal,
It also depends on the company's business structure.
Many online e-tailers will 'pre-auth' a card. Then when the product ships, capture the sale. (or at least that is the 'protocol' for such a business. something about taking people's money before you ship an item is 'frowned' upon.)
If you are selling downloadable software, then you can capture right away.
Kevin
- -----Original Message-----
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bailey, Neal
- Sent: Monday, March 08, 2004 11:12 AM
- To: [EMAIL PROTECTED]
- Subject: Credit Cards - Best Practices
- Hello CFers&
- I was wondering what are the best practices for credit card processing over the web. Should you pre-authorize a customer s card during check out and then run a batch transaction at the end of the day? Or should you run the card as a final sale and gather the funds immediately. Just as I have heard people doing it both ways and I am in the process of converting my cart over to an automatic Card processor API.
- What are the pros and cons of both&
- Also I have noticed that many shopping carts store their Credit card info in the database. I have a little utility (MS Access) that transfers the customer s info to my system at home and then deletes all credit card info. This usually runs twice a day. Is there a better way to keep the card info secure?
- Thanks
- Neal Bailey
- Internet Marketing Manager
- E-mail: [EMAIL PROTECTED]
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 3/1/2004
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.605 / Virus Database: 385 - Release Date: 3/1/2004
