If you are colocating, make sure you have all extra services turned off so nobody on their network can attach or attempt to intrude. and Don't forget to secure all logins with good passwords. If you are using NT don't forget to secure the 'Guest' login.
Bob -----Original Message----- From: "Bailey, Neal" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Mon, 8 Mar 2004 17:48:20 -0600 Subject: RE: Credit Cards - Best Practices > Hello Bob, > > Thanks for the great feedback... Your number 2. was what I was looking > for. > > I think I have most of that stuff covered. > > - I already use a SSL Certificate for checkout and registration and a > separate SSL for my Admin section. > > - I have a secured gateway to my merchant via a custom API that I am > still > customizing. > > - My merchant has a very nice Merchant Administration system though > LinkPoint. About to be LinkPoint 3.0. > > - My server is "Mine" and is hosted via Co location here in town behind > my > own Firewall (SonicWall). > > I would appreciate if you and anyone else could look through my cart > and see > if you see any issues with how it works or should work. This is my > first > cart I have design from scratch so go easy on me. No really any > information > to whether it's unsecured or link structure is bad or login does not > makes > sense please just let me know. I want to make sure this is in good > working > order before I launch it at the end of April. > > Here is the url: > http://www.BlissfulEssence.com <http://www.blissfulessence.com/> > > it will ask for a login... Twice, once on home page and once on secured > page. > > Username: webguest > Password: bliss01 > > Feel free to register and go through the checkout process using test > card > numbers. Visa, 4111111111111111 > > Neal Bailey > Internet Marketing Manager > E-mail: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] > > _____ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, March 08, 2004 4:07 PM > To: [EMAIL PROTECTED] > Subject: RE: Credit Cards - Best Practices > > Here are some guidelines: > > 1. Make sure your cart page uses an SSL Certificate to encrypt the > transmission to your template(s). > 2. Merchant accounts themselves designate if you can authorize then > batch/capture or simply authorize/capture. The industry standard is as > follows: If you can ship within 24 hours of the order receipt, you can > authorize and capture at the same time. If as the rule you have to > wait > longer to ship, then you have to pre-authorize the card and then > capture the > card individually or in batch when you ship. When you applied for your > merchant account they would tell you their rules/guidelines. > 3. When you receive the credit card via the secure screen and either > pre-auth or capture the card you may want to save the last 4 digits of > the > card, but you don't need it for anything else except possible 'account > reconciliation' so what is the point in saving the credit card at all. > There > is none. You should receive a transaction number and authorization > number > from the merchant processor and that is all you need. > 4. For batching, your credit card processor has the card number, under > their security with a transaction number. You batch it when you ship; > so you > don't need the full card number then either. This offers you and the > client > the most protection. Most processors offer a secure login to their > system > for you to be able to perform returns and batches and other activities. > Verisign's Payflow system offers such a system. And there is a CFX to > interface with it. > 5. If your merchant does not offer a system like this, see if you can > batch > transactions with the 'pre-authorization' number and/or transaction > number. > Then you only store these numbers and again not the credit card number. > 6. If you have to have the credit card number because you are running > it > manually through a pos or card system, then have your database on a > machine > behind a firewall or other protection. > 7. If anybody but you has access to your database, if it is out of your > physical possession it is susceptible to intrusion; that includes your > own > office or at a hosting facility. > > Bob Coalter > InterNet Partners, Inc. > www.internet-partners.com <http://www.internet-partners.com/> > > > > > > > > > > Yeah this is kind of how I think& But at the same time I want to stream > line > the process as it s only me and my wife running this biz. And trying to > keep > up with who ordered what and when are some times confusing. But I am > working > on a new backend that will hopefully make things easier to manage. I > was > going to just buy another shopping cart but when I looked at all the > different CF Carts I decided to just build onto mine and create a > better > backend as I really like my front end. > > > > Neal Bailey > > Internet Marketing Manager > > E-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > _____ > > From: Kevin Barber [mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> ] > Sent: Monday, March 08, 2004 11:59 AM > To: [EMAIL PROTECTED] > Subject: RE: Credit Cards - Best Practices > > > > Neal, > > > > It also depends on the company's business structure. > > > > Many online e-tailers will 'pre-auth' a card. Then when the product > ships, > capture the sale. (or at least that is the 'protocol' for such a > business. > something about taking people's money before you ship an item is > 'frowned' > upon.) > > > > If you are selling downloadable software, then you can capture right > away. > > > > Kevin > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> ]On Behalf Of Bailey, Neal > Sent: Monday, March 08, 2004 11:12 AM > To: [EMAIL PROTECTED] > Subject: Credit Cards - Best Practices > Hello CFers& > > I was wondering what are the best practices for credit card processing > over > the web. Should you pre-authorize a customer s card during check out > and > then run a batch transaction at the end of the day? Or should you run > the > card as a final sale and gather the funds immediately. Just as I have > heard > people doing it both ways and I am in the process of converting my cart > over > to an automatic Card processor API. > > What are the pros and cons of both& > > Also I have noticed that many shopping carts store their Credit card > info in > the database. I have a little utility (MS Access) that transfers the > customer s info to my system at home and then deletes all credit card > info. > This usually runs twice a day. Is there a better way to keep the card > info > secure? > > Thanks > Neal Bailey > Internet Marketing Manager > E-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com > <http://www.grisoft.com/> ). > Version: 6.0.605 / Virus Database: 385 - Release Date: 3/1/2004 > > ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org
