I'm just looking for opinions from people with experience. I am currently running Modernbill but I do all my transactions with 2co and paypal. In May I'm going to start accepting sales through my own Merchant Account.

How do you do recurring billing? I know Modernbill has a feature to encrypt and store the credit card numbers locally so you can process them. But I was wondering if there is another way to setup recurring billing without storing them locally?

Also, if you do store them locally to process, do you add any more security on top of what Modernbill provides? And what are some legal issues involved in storing credit cards locally?

Thanks.

While we do not use Modernbill, we do process monthly recurring CC's. The billing software we use encrypts the CC information, this is a must if you are going to store customer CC info locally. A couple things that we also do is keep our billing software on a server all it's own (no hosting allowed). We also have the server behind a firewall appliance and we limit employee access to the server. Kind of a need to know thing.

If you have not already done so, check out Visa's (http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html) site on CISP:

Basically, you would be responsible for any stored cc data. MB encrypts the cc numbers. Should your cc data be compromised, V/MC or the acquirer will want to determine if your system and polocies are CISP compliant. CISP is the standard minimum security requirements as imposed by the card associations and adopted by Amex and Discover. I spoke with MB a few months ago about MB and if it is CISP compliant. At the time they said they have not had an audit done on the MB program but felt it would pass if it were put under the scope.

Gateways which connect with MB are also required to be CISP. Most well known ones are such as authorize.net, verisign etc.

To learn more about CISP:

http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp.html|PCI%20Data%20Security%20Standard

The procedures:

http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Security_Scanning_Procedures.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_merchants.html|PCI%20Security%20Scanning%20Procedures

I'm just looking for opinions from people with experience. I am currently running Modernbill but I do all my transactions with 2co and paypal. In May I'm going to start accepting sales through my own Merchant Account.

How do you do recurring billing? I know Modernbill has a feature to encrypt and store the credit card numbers locally so you can process them. But I was wondering if there is another way to setup recurring billing without storing them locally?

Also, if you do store them locally to process, do you add any more security on top of what Modernbill provides? And what are some legal issues involved in storing credit cards locally?

Thanks.

"Totalprocessing" had some good information, you should understand the PCI requirements (both Visa CISP and MasterCard's SDP security requirements).

Unless you understand the security implications of storing those credit card numbers (encrypted or not), you shouldn't do it. Some online gateways (authorize.net, for example) have reoccuring billing features that work without having to store the card number on your server.

I recommend checking out Wellsfargo if you are looking for a merchant account. You can add functionality to allow the processor to store the recurring transactions though I do not think MB will integrate with that.

We currently use LinkPoint for all our recurring billing process. The three gateways we looked at (Verisign's Payflow, LinkPoint, Authorizenet.com) did not provide some extra benefits that we needed and we just built something.

Look at your business plan and determine which might be the easiest way for you. LinkPoint worked great for us, but since our business plan was evolving, we had to change the billing process.