Hello,

i have a client who wants to be able to bill clients by having them enter the details online and and he will use his manual cc processing device from his store.

How can that be achieved securely ?

I mean you can't send the details via mail or save them on a db online...so how is it done?

Thanks

I personally does not manually process. when I order something online I prefer directly to make payment from the gateway.

I would first have him check with the merchant account processor on this. His contract might say that a very high percentage of transactions will be swiped. Deviations from this might lead that processor to terminate his account or raise his rates.

Also, keying in those transactions might make them non-qualified and those transactions be subject to a higher discount rate

Corey is right. A swipe terminal is for face to face transactions. When the card isnt swipable, Youre supposed to be using the imprinter to get an image of the card. This way hes covered, but still it does count against the merchant because his account is based on swipe transactions. Consequences can be termination, TMF, or they may counter and change his rates. The safest solution is for this client to get a separate merchant account for online processing. With the right merchant account, that shouldnt cost more than another $10-20 per month + normal transaction fees.

You can use a secure server/shopping cart such as Mal's e-commerce (free in the basic version)
http://www.mals-e.com

arbel, what payment options your client have ?

Is he using SSL for his site. If situation remains same, SSL must be there. If he wants to store the CC details in the hard disk of his local PC, there is a risk that any hacker can gain access to it and misuse it. Either he use any web payment processor or keep CC details in encrypted form.

We have a customer who used to do all business locally and decided to put up a website for online orders. I had him check with his processor first about being allowed to take orders online and they said he could as long as how the data was handled was secure. We set up an order system for him that took credit card data, split it into 2 parts, encrypted each part, then emailed him 1 part and saved the other part on the server temporarily. He then logged into a secure admin panel to get the other part and delete it from the server. He then decrypted it on his computer, processed the order, and deleted it.

The card company checked it out and told him he can go ahead and take orders online.

I think what he means is a terminal. Many merchant accounts offer terminal entry where you can key the order in and the amount and charge it that way.

Just use oscommerce.

Assuming the Merchant approves manual entry, another option is secure form providers like web-form-buddy.com. They have a nice system that allows you to create the form on your website. Their program provides a secured connection (https) to the form when the user "submits" the order. The info is retained on their secured servers. Then, an email is sent to the admin telling them of an order.

The admin logs into their secured server to capture the credit card & order information. Certainly more work, but it is an option.

One thing to keep in mind is that any Visa or MasterCard transaction processed online is supposed to include the appropraite Electronic Commerce Indicator (ECI) flag on the transaction.

If it does not contain this information and was originated online, it is technically out of compliance with the Card Association rules & regs. So that always poses a potential risk with a merchant's processor if they find out about it.

I know that a lot of times merchants who are not big into the online processing side of things want to just collect data online and then run it through on their store's terminal as a key entered sale but I really would advise against that.

It is very easy and inexpensive to setup an online payment gateway and Internet merchant account so that is really the best bet under almost all circumstances. In addition, if the merchant does not want to capture the sales until they verify inventory or availability, the online transaction could be done as an "auth only" sale to pre-authorize the card but not capture & settle it.

Then, once the order is confirmed, the merchant can quickly log in and do a "capture" transaction to settle and clear the card at which point the funds transfer process can begin.

That being said, if a merchant is setup as a Mail Order/Phone Order merchant, it is possible for them to have their terminal configured for that purpose in which case their processor will be expecting their sales to come through as 100% MOTO.

The occasional MOTO sale can also be run on a Retail swipe account as long as it does not exceed 50% (in most cases) and it complies with the rules of the merchant processing agreement.

Last but not least... on several types of terminals it is possible to have more than one merchant ID as a way to save equipment cost. For instance, MID#1 could be for Retail swipe and MID#2 could be setup for Mail-Order transactions at a pricing structure designed for those types of sales.

Otherwise, the downgrade costs for a key entered sale on most retail accounts will end up being higher in most cases than a merchant account specifically priced and setup for MOTO transactions.