RE: Credit Cards - Best Practices

[Bailey, Neal]

Hello Bob,   Thanks for the great feedback… Your number 2. was what I was looking for.   I think I have most of that stuff covered.   - I already use a SSL Certificate for checkout and registration and a separate SSL for my Admin section.   - I have a secured gateway to my merchant via a custom API that I am still customizing.   - My merchant has a very nice Merchant Administration system though LinkPoint. About to be LinkPoint 3.0.   - My server is “Mine” and is hosted via Co location here in town behind my own Firewall (SonicWall).   I would appreciate if you and anyone else could look through my cart and see if you see any issues with how it works or should work. This is my first cart I have design from scratch so go easy on me. No really any information to whether it’s unsecured or link structure is bad or login does not makes sense please just let me know. I want to make sure this is in good working order before I launch it at the end of April.   Here is the url: http://www.BlissfulEssence.com   it will ask for a login… Twice, once on home page and once on secured page.   Username: webguest Password: bliss01   Feel free to register and go through the checkout process using test card numbers. Visa, 4111111111111111   Neal Bailey Internet Marketing Manager E-mail: [EMAIL PROTECTED]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 08, 2004 4:07 PM To: [EMAIL PROTECTED] Subject: RE: Credit Cards - Best Practices   Here are some guidelines: 1. Make sure your cart page uses an SSL Certificate to encrypt the transmission to your template(s). 2. Merchant accounts themselves designate if you can authorize then batch/capture or simply authorize/capture.  The industry standard is as follows: If you can ship within 24 hours of the order receipt, you can authorize and capture at the same time.  If as the rule you have to wait longer to ship, then you have to pre-authorize the card and then capture the card individually or in batch when you ship.  When you applied for your merchant account they would tell you their rules/guidelines. 3. When you receive the credit card via the secure screen and either pre-auth or capture the card you may want to save the last 4 digits of the card, but you don't need it for anything else except possible 'account reconciliation' so what is the point in saving the credit card at all. There is none. You should receive a transaction number and authorization number from the merchant processor and that is all you need. 4.  For batching, your credit card processor has the card number, under their security with a transaction number. You batch it when you ship; so you don't need the full card number then either.  This offers you and the client the most protection.  Most processors offer a secure login to their system for you to be able to perform returns and batches and other activities.  Verisign's Payflow system offers such a system. And there is a CFX to interface with it. 5. If your merchant does not offer a system like this, see if you can batch transactions with the 'pre-authorization' number and/or transaction number. Then you only store these numbers and again not the credit card number. 6. If you have to have the credit card number because you are running it manually through a pos or card system, then have your database on a machine behind a firewall or other protection. 7. If anybody but you has access to your database, if it is out of your physical possession it is susceptible to intrusion; that includes your own office or at a hosting facility. Bob Coalter InterNet Partners, Inc. www.internet-partners.com Yeah this is kind of how I think& But at the same time I want to stream line the process as it s only me and my wife running this biz. And trying to keep up with who ordered what and when are some times confusing. But I am working on a new backend that will hopefully make things easier to manage. I was going to just buy another shopping cart but when I looked at all the different CF Carts I decided to just build onto mine and create a better backend as I really like my front end.    Neal Bailey Internet Marketing Manager E-mail: [EMAIL PROTECTED]   From: Kevin Barber [mailto:[EMAIL PROTECTED]] Sent: Monday, March 08, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: Credit Cards - Best Practices   Neal,   It also depends on the company's business structure.   Many online e-tailers will 'pre-auth' a card. Then when the product ships, capture the sale. (or at least that is the 'protocol' for such a business. something about taking people's money before you ship an item is 'frowned' upon.)   If you are selling downloadable software, then you can capture right away.   Kevin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bailey, Neal Sent: Monday, March 08, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: Credit Cards - Best Practices Hello CFers&   I was wondering what are the best practices for credit card processing over the web. Should you pre-authorize a customer s card during check out and then run a batch transaction at the end of the day? Or should you run the card as a final sale and gather the funds immediately.  Just as I have heard people doing it both ways and I am in the process of converting my cart over to an automatic Card processor API.   What are the pros and cons of both&   Also I have noticed that many shopping carts store their Credit card info in the database. I have a little utility (MS Access) that transfers the customer s info to my system at home and then deletes all credit card info. This usually runs twice a day. Is there a better way to keep the card info secure?   Thanks Neal Bailey Internet Marketing Manager E-mail: [EMAIL PROTECTED]   --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.605 / Virus Database: 385 - Release Date: 3/1/2004