hi all, can somone tell me what a cheap but a good gateway is so i can accept credit cards from the internet. there is heaps of choices it is really hard to know which ones are better.
thank you very much

Cloe

You are right - there are a lot to choose from but some gateways will not support you if you are doing high risk and some providers cannot support you depending on your location.

If you are in the United States, most gateways will charge a transaction fee on top of what the merchant account provider charges. LinkPoint only charges a flat fee. Payflow will charge more monthly but give you 1,000 free transactions. Authorize.net gives you about 250 free transactions from what I can remember.

Hi Cloe,

Where are you based geographically? And do you already have a merchant account as well or are you in need of that too?

There are a lot of payment gateway options in the market. The most important thing is to first make sure that they are compatible with the merchant account you are using. And secondly, you'll want to make sure that it is compatible with any shopping cart/billing app that you are using as well.

A lot of merchant providers offer gateways like Authorize.Net, Payflow, Linkpoint etc. The pricing can often be very competitive for these gateways since many companies offer them. Usually bundled programs are the easiest where you get both a merchant account & gateway from the same provider but nothing really prevents you from doing this separately.

In addition, some merchant processors are now even offering free gateways included with their services. So this can really reduce a huge layer of cost for merchants.

Just make sure that if you see such an offer, you verify that the cost isn't being passed through in some other area - like an increased statement fee cost or other such fee.

Other things to ask about is whether important solutions like Cardholder Authentication (Verified by Visa/MasterCard SecureCode) are supported by the gateway in question and if there are extra fees to utilize it. I can't stress enough what an advocate I am of these technologies as a way to fight fraud.

We've been using CDGcommerce.com would highly recommend them. Mostly use them via the authorize.net gateway, but they also have their own.

Hi Cloe,

An alternative way would be you could get yourself a manual merchant account at a bank which are quite cheap. You would then be able to accept and charge credit cards that come to you by fax, telephone, physical mail as well as from the internet.

How you could accept credit cards on the internet is by a manual payment gateway that allows you the chance the check the order first before your charge the card. Have a look at either http://e-path.com.au and http://payecom.com.au.

With a manual gateway you can check the persons name, their delivery/physical address, phone, email etc. before you make the charge. This gives you a unique extra layer of security not present when a real time gateway transacts live.

Also, say if you are out of stock of an item, you can choose not the charge the card, rather than having to go to the trouble of having to do a reversal of a charge done automatically.

The other advantage is your merchant account is not sitting open on the internet. This may not be important to you but for me its a huge issue. I don't want the world having direct access into my merchant account without me knowing.

Further, none of your credit card paying customers data is permanently stored with either e-Path or Payecom. This is becoming an important consideration now. Nothing is guaranteed 100% safe if its stored and accessible on the net so using a gateway that doesn't permanently store data is a huge security advantage - if it doesn't exist on the net it can't be stolen!!

Good luck

I, Myself personally use, 2co as Credit Card merchant and even they are expensive, they are good.

Dan-

thank you people. jumbuck, i already have a merchant account. i already accept fax orders. they put their credit card details on the fax order form. does this mean i can get epath and not need to get another merchant account? i looked at the site. do you get charged anything more than what they say is their yearly fee.?
cdgcommerce, where you say Cardholder Authentication (Verified by Visa/MasterCard SecureCode). i don't use this at the moment when receiving faxed payments. my bank has never mentioned it. should i get this? how can it make credit cards i receive by fax safer?

Cloe

You cannot used VBV / MSC with faxed orders. VBV / MSC require the customer interaction and you are probably entering the credit card information in the electronic payment gateway's virtual terminal.

It almost sounds like you have a gateway - where exactly are you entering this information to charge the customer? Usually the gateway will provide a virtual terminal along with an API or a secure page to process the customer transaction

thank you for being so quick Corey. Here is all i know. i have a moto merchant account at my bank. i pay 2.0% of each amount the payment is for and $29.95 a year. it is for fax orders and telephone orders. i go to the banks special page to enter my payments. it takes about 6 hours for the bank to get back to me to tell me they are approved. i can upload a text file wth many credit cards on it but i don't know how to work this yet. it is easier for me to enter credit cards one by one into the page. i have been using it for about a year now. i really like it.
cloe

Do you know what gateway you are using? Usually most MOTO accounts will support the internet because the fraud is basically the same. Have you contacted your provider to see what they can support for your website? You are happy with them and it seems there is no reason to really change.

Cloe, who is your current bank? If you can let us know, we might be able to deduce what networks they work with to see what gateways might be available options for you.

Like Corey said, if you are happy with the account and it is working well - stick with it and perhaps the only improvement to be made would be to consider going with one of the available real-time gateway options - if it is compatible.

To Jumbuck's points... every single post you make you promote the e-Path gateway and try to tout a "manual gateway" as somehow superior in security, fraud prevention or cost to real-time gateways but it flatly isn't the case.

1. A manual gateway prevents a merchant from using CVV and seeing whether the CVV values match or not - that is terrible from a risk management standpoint and it detracts, not adds, to the ability to make a decision on whether an order is good or not.

2. A manual gateway does not enable the merchant to use Verified by Visa or MasterCard SecureCode - quite possibly the most significant liability protections ever developed for credit card processing and the ONLY ones developed BY the actual Card Associations. These tools can actually BLOCK 60% of the most common chargeback reason codes and using a gateway that does NOT support this makes no sense to me.

3. You make claim that a system like e-Path doesn't "store" cardholder information but indeed it does... there is a lag time between when the data is entered online and when you as a merchant retrieves it and then runs it through again and you better believe that this is considered storage.

And if a gateway system does store the data, it would never be on a public server anyways if it is done in a PCI compliant matter and audited by an independent certified PCI auditor.

BTW - you never answered me from my question several MONTHS ago as to whether or not e-Path does or does not store the CVV value, would you care to answer that yes/no now please?

4. Lastly, if a merchant wants to review orders before capturing, they can easily do so with a real-time gateway... but with the added benefit of features like CVV & VBV/MSC, to name a few.

Hi Cloe,

Yes, then in my humble opinion e-Path would be a perfect solution for you. You will be charging your customers credit cards using the system you already have, so nothing changes except you'll now be able to receive credit card authorisations from your website or shopping cart too.

If you did go with e-Path I'd suggest letting your bank know. It is important to always keep your bank up to date with the way you use the merchant account facility they are providing you.

You'll be saving quite a lot compared to the cost of the "real time" gateway systems. But please check their costs out for yourself.

And because e-Path puts the details in front of you just like a fax you can check things like the buyers name, physical address, telephone number etc. E-Path does NOT blindly charge anything entered into it instantly on the net, you have full control with e-Path, just like the way you do things at the moment.

In any case I would suggest the best people to talk to would be your bank.

Good luck

I think paypal offers a free gateway where users can pay on your site. "Paypal Pro"...

thank you everyone. i spoke to my bank today and they weren't sure of things - becasuse i read from some of the messages here (clever me). they made an appointment for me tomorrow with the merchant services manager.
i really lke the look of epath because i can still check things asnd stay with what i am doing now but i am worried about stuff cdgcommerce says about verified by visa or the other stuff that i cant use with epath (i think that is right isn't it?)
everyone has been really helpful and tomorrow the bank will let me know what they think.
thanks heaps

I know people who use and endorse http://www.payjunction.com/
http://www.payjunction.com/products.htm#merchant_account_credit_card_processing

I would... but my volume and client's don't really need it yet.

Hi Cloe,

If you are thinking about e-Path, don't forget to tell your bank you will be still using your current merchant facilities to process the charge. You will find that most merchant account facilities have many security features built in anyway.

But yes, very important to make the distinction between where your customers credit cards are being transacted. If using e-Path you will be receiving authorisations only from the internet, you will NOT be doing internet based credit card transactions. This is the critical difference.

Although cdgcommerce and I do not see eye to eye, for internet based live transactions what he says, in general, is correct (in my opinion anyway). But this is completely different from receiving authorisations only and processing through your established manual merchant account facility - which you do already when you receive a credit card payment by fax machine.

Which ever way it turns out I wish you well.

Cheers

thank you to everyone. I printed out some of the messages (hope this is ok) and took them along to my bank. the merchant services manager read all the messages and said it was excellent advice. (there you go so thanks heaps).
cdgcommerce is right about all the security stuff (sorry jumbuck). all this has to happen when transacting a credit card on the net because it is a higher risk. the manager tried to get me to get the "real time processor" way which I think is the way cdgcommerce suggested. but it is too expensive for me. i would have to pay an extra charge every time i received a payment and i would have to get a different merchant account too. i can not afford this.

In the end they are ok with epath but i am not allowed to do internet based transactions with epath. but accepting peoples credit card charge authorisations is fine. he told me there is another whole lot of security stuff applying to the epath way which is different to the other way and epath is ok with them for that.
he said it boils down to where the credit cards are being processed which decides where the merchant account is and who has access to transact into it, this decides what type of way i need to have. The security is different because the ways are different because the other stuff is different. (i hope i have that in the right order, it seemed to make more sense when he was saying it).
anyway, I have applied for epath because it seems great for what i need and I still don’t have to pay any extra charges every time I receive a payment which I love.
I can’t thank everyone enough. this has worked out really well for me.
cloe

Hi Cloe,

Sounds like you've had very good advice from your bank. I'm sure e-Path will be the perfect payment gateway for you. Let us know how you progress.

Cheers

In the end they are ok with epath but i am not allowed to do internet based transactions with epath.


Maybe I missed something, but isn't internet based transactions what you originally wanted to do in the first place?

Please keep folks here posted on your experience with the company Jumbuck has been touting. As cdgcommerce commented, it was touted here a while back and there are still unanswered questions regarding it.

Do you have anyone working with you on your website? Do you have a consultant or programmer you can talk to about this? Because you really do already have a merchant account and it's a shame that you're going to pay more for something you technically already have.

The main issue involved here is the question of "how are you getting your billing information from your customer via the internet." The easy answer is what your bank suggested - use a gateway with some canned shopping cart program. The more difficult answer, but in the end perhaps less expensive, is to talk with your programmer to see if they can come up with a secure method (that meets all of VISA/MC's security requirements) of getting you that information. You can then manually input it into your existing terminal setup - just like you're doing with faxed orders.

Hope all the best for ya!

Edit: OK... I just reread your response cloe200, and see that you ARE still going to be using your existing merchant account, and just wanted a way to accept payment info via the web. Sorry for my confusion.

In the end, all you're really doing with epath is paying for a secure web-based form processor. If you are working with a web designer/programmer, ask them specifically using those words... "secure or encrypted form processor" ... and perhaps they can point you to something that you don't have to pay extra for.

Maybe I missed something

Yes you did.



Please keep folks here posted on your experience with the company Jumbuck has been touting. As cdgcommerce commented, it was touted here a while back and there are still unanswered questions regarding it.

I suggest things to people where appropriate. I am certainly no expert but I am a long time user of the real time payment gateway system and a very satisfied user of the manual system too and will always qualify why I suggest anything in these forums, whether that be a real time gateway or manual system. I DO NOT plaster my signature with advertising.

You mentioned unanswered questions? What unanswered questions are there?

Looking at your history it certainly appears you like following cdgcommerce posts with posts that say almost the same thing. Only an observation mind you but go ahead, what questions remain unanswered? I have a feeling I know what's coming.

Cheers

BTW - you never answered me from my question several MONTHS ago as to whether or not e-Path does or does not store the CVV value, would you care to answer that yes/no now please?


Jumbuck,

I believe the question above is the one still unanswered.

Your implication that I'm associated with cdgcommerce is dead wrong. I'm a small business owner that doesn't use a gateway and like yourself, use a "manual process" to process payments. I process my accounts manually through Nova into a bank down the road from me. No association whatsoever with cdgcommerce. (However, I will say that the information he gives out usually seems to be spot on, along with several other helpful merchant account type folks here.)

But like cdgcommerce, I took note when you started touting the "manual process" as the the end of all credit card fraud, and implying that people's merchant accounts were somehow open to the world with no way of controlling it. Those two things are just blatantly wrong and we've discussed that in previous threads.

I'm just trying to point out to cloe2000 that there are other options out there, including many other subscription-based, web-based, secure form processors - which is all epath really is.

Regarding signature lines and advertising, at least when folks list who they're associated with, you can make an educated decision on whether or not you're receiveing biased information. Just because no affiliation is listed doesn't mean someone doesn't have a vested interest in a product they're touting.

Hi Knelson,

According to the e-Path demo, the CVV info is not sent through. (Which in one sense is good since that would make e-Path non-compliant, on the other side it is not at all good since no e-Path merchant can thus ever benefit from this useful screening tool)

One NEW question that I do have for Jumbuck is this - has e-Path successfully completed an audited PCI certification?

I mention this because I took a peek at the Visa site:
http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

And I did not see it on there. Since they have been in business since 2004, I would assume this has long since been done but maybe it is under a different corporate name on the page?

It is VERY important for any merchant to use only a PCI-certified gateway. While I certainly advocate real-time gateways for the many inherent advantages they provide, ANY centralized system that touches cardholder data MUST be PCI-certified and it is very important for merchants to only use such systems.

Lest the debate over manual vs. real-time begin anew, I'm not even going to go there but I do think it is a very valid question to ask whether or not e-Path has successfully gone through a full PCI audit and what name they are under (if any) on the CISP provider list.

PS - one other question that has been bugging me. Jumbuck, could you disclose the full nature of your relationship with e-Path?

Yes I remember now answering a comment from you some time ago.

Firstly when a real time payment gateway is set up to transact live on a website or shopping cart, it most certainly does happen without the immediate knowledge of the merchant. The merchant does in fact have no prospect of inspecting the order BEFORE the transaction attempt is performed. To suggest this is not the case is totally incorrect.

There is no implying about it. When a real time system accepts credit card payments live and directly communicates them into the merchants merchant account then it will work for anyone entering any credit number they like. This is how it works. It is most certainly open to the whole internet. I can't think of any real time payment gateways that disallows people on the internet to enter credit cards, unless it is specifically set up to allow for the merchant to approve the charge first in which case its not transacting live and instantly on the net in the fist place.

Hence you have a stream of security plug ins and add ons like VBV, MCC etc because they sure as hell need to be there when a real time payment gateway transacts live on the net. And how effective are they? Well, I'll leave you to have a look at how much fraud is costing the industry every year. While I'm sure VBV and MCC work very well when circumstances are right, I am not satisfied that either VBV or MCC, or even CVV for that matter, means that merchants will never again fall victim to fraud. That's just not the case.

I don't know how you are capturing credit card data using the your own manual way. I though you need to have a dedicated server with extreme security provisioning, housed in a caged and locked location and have limited approved access to it. Also, how are you monitoring and managing your encryption engine? Do you regularly change keys? and change their locations? How are you storing credit card data? Do you store it and if you don't then how are you getting it to enter it into your manual system?

I'm no expert but from what I've read from the Payment Card Industry Data Security Standards it certainly suggests that gone are the days when you can just use a basic one-fits-all encryption from a form under SSL on a shared server. You should check into things to make sure you are not doing anything illegal or contrary to what is required for the safe handing of credit card data. If you are doing things right then power to you.

In fact I remember asking you about this before but you evaded answering me. This info is not something that you should keep hidden from those who trust you when they pay by credit card on your website. If their credit card data is safe then its something you should not be worried about telling them.

Just a thought.

Cheers

Jumbuck,

Who are you addressing these questions to? Me, Knelson, Cloe?

Could you please answer the question I posed first?

Question: Has (or has not) e-Path successfully completed an independently audited PCI certification? If so, where is it on the Visa list below? Is it under a different name/corporate name?
http://usa.visa.com/download/merchan..._providers.pdf


I am not trying to be antagonistic here... it is a basic question that any gateway company should be able to readily answer.

PS - please also reply regarding your affiliation with e-Path.

I think he was talkin' to me!

If you are doing things right then power to you.

Thank you. I've been doing what I've been doing for three years and have had no issues and am fully compliant with the CISP requirements for a business my size.

In fact I remember asking you about this before but you evaded answering me. This info is not something that you should keep hidden from those who trust you when they pay by credit card on your website. If their credit card data is safe then its something you should not be worried about telling them.

And as I said in that previous thread, part of being secure is not discussing your security! If any customer of mine asks about the security of their credit card information, I'll discuss it with them. Personally. Not broadcast on an internet forum for everyone to see.

I had no intent to hijack the thread and reopen an old can of worms, but instead truly wanted cloe2000 to report back on her experience with epath. Seems like a fair request. I also wanted her to be aware that epath is nothing more than a secure form processing service. A lot of times, folks don't really know what exactly it is to ask for, in order to get what they want.

Oh... and thanks cdgcommerce for finally answering the question that seemed to keep getting brushed under the rug.

Jumbuck,

I believe the question above is the one still unanswered.

Your implication that I'm associated with cdgcommerce is dead wrong. I'm a small business owner that doesn't use a gateway and like yourself, use a "manual process" to process payments. I process my accounts manually through Nova into a bank down the road from me. No association whatsoever with cdgcommerce. (However, I will say that the information he gives out usually seems to be spot on, along with several other helpful merchant account type folks here.)



Hi Knelson,

What's the correct procedures for processing manually. I have a brick and mortar merchant account, but would like to process manually online with a compliant secure card capture. What do you use? I understand E-path has this certain type of gateway, but are their any other options. There's not much information about processing manually. But most importantly, processing manually wiouth breaking any compliancy rules.

I am not trying to be antagonistic here... it is a basic question that any gateway company should be able to readily answer.

Well you could have fooled me.

The fact of the matter is I don't know why e-Path is not on the list of approved credit card processors, perhaps it may be due to the fact they are not a credit card processor and they don't do internet based credit card transactions at all. But I will send e-Path a support request for clarification.

And how many times have I got to tell you. I have an e-Path account - that's my association. I threw my real time system in the bin and overnight I ended falling victim to fraud and halved the costs or receiving credit cards. Gone are the days of charge backs also. E-Path literally saved my business.

May I add, that unlike you, I have been a user of both systems. And both played an critical role in my business. One sent me broke the other saved me. Simple as that really.

But your comment about anything "touching" a credit card is pretty far fetched cdgcommerce and I feel you are harping on this in an attempt to further put down a system that goes along way towards reversing the terrible mess real time payment gateways have caused the industry and their unsuspecting users, not to mention the ordinary credit card paying customer. We still hear of major e-commerce real time payment gateway firms being hacked and thousands of credit cards being compromised. But wait, there's VBV and MCC .... hmm ... someone forgot to tell the crims.

Really, if you want to continue to push a system that is almost solely responsible for the countless hundreds of millions of dollars lost in credit card fraud related theft every year then that's your business. Many simply believe the time is well overdue for a safer and less costly solution. And I happen to agree with them 100%.

But I'll take on board what you say, I will contact Visa and ask them where is SHARP, SONY and other makers of fax machines on their list. These are appliances that also "touch" credit card data. I can't find any fax machine on there, nor can I find any telephone manufacturers, nor postal services. Yet fax machines, telephones and postal services just like e-Path carry credit card data all the time.

I suspect the reason is a fax machine, telephone, postal service as well as e-Path do not process credit cards on the internet. Therefore the insane risks associated with real time live internet based credit card processing is simply not applicable. A pretty simple observation. But I'll get confirmations for you from Visa, perhaps we can get a few fax machine brands on there!!

Cheers

But I'll take on board what you say, I will contact Visa and ask them where is SHARP, SONY and other makers of fax machines on their list. These are appliances that also "touch" credit card data. I can't find any fax machine on there, nor can I find any telephone manufacturers, nor postal services. Yet fax machines, telephones and postal services just like e-Path carry credit card data all the time.PCI compliance deals with internet transactions - not face-to-face, that's why they are not listed as being PCI compliant.

There are four merchant levels and three service provider levels. Chances are all providers will be Service Level One (All VisaNet processors (member and nonmember) and all payment gateways). Service Level Two is any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. And Service Level Three is any service provider that is not in Level 1 and stores, processes, or transmits less than 1,000,000 Visa accounts/transactions annually.

Each of these have different requirements, from do a questionnaire, to a quarterly scan, to a on-side security audit.

Since Sharp and Sony are service level providers, they do not need to be listed. If they are storing credit cards, they have four different merchant levels to choose from. And they need to be compliant, if not, they risk of being fined $25,000 when a compromise occurs.

PCI compliance deals with internet transactions - not face-to-face, that's why they are not listed as being PCI compliant.

There are four merchant levels and three service provider levels. Chances are all providers will be Service Level One (All VisaNet processors (member and nonmember) and all payment gateways). Service Level Two is any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. And Service Level Three is any service provider that is not in Level 1 and stores, processes, or transmits less than 1,000,000 Visa accounts/transactions annually.

Each of these have different requirements, from do a questionnaire, to a quarterly scan, to a on-side security audit.

Since Sharp and Sony are service level providers, they do not need to be listed. If they are storing credit cards, they have four different merchant levels to choose from. And they need to be compliant, if not, they risk of being fined $25,000 when a compromise occurs.

This is very interesting, I wasn't aware of this. Half of the fax machines today store received faxes in memory for retrieval. In fact after retrieval many of them retain the faxes in memory. I wonder if this classifies them as storing credit card data considering its credit card data they are storing in memory.

To my knowledge e-Path hasn't done one single internet based credit card transaction. That's not what they do. I am still awaiting a response from them on this question. But if PCI compliance only deals with internet transactions and e-path, like fax machines, don't do internet transactions then how could either of them become PCI compliant? I guess I've answered my own question.

Cheers

Jumbuck,

Let me state this very clearly - a full PCI audit is required for compliance for ANY 3rd party service system which touches or stores cardholder data. This is a fact and directly from Visa and MasterCard, in the exact words of Visa in fact.

As I have mentioned before - IT DOES NOT MATTER -what- the system does WITH the cardholder data. It can forward it on, transact it, store it for later retrieval (like e-Path)... the whole point to PCI is to protect cardholder data period. Not just cardholder data used in a real-time transaction but ALL cardholder data.

It isn't optional for a payment gateway of any kind - it is required. And if it not been done by e-Path, then e-Path is NOT PCI certified, NOT PCI audited and NOT compliant with this requirement. If I were you - given that you tout your system so profusely, I would suggest pushing hard for them to immediately arrange for a full audit to be done so that they can be added to the list in the coming months.

Merchants put themselves at risk if they use a non-PCI compliant gateway and in fact using it would quite likely represent breach of their merchant processing agreements as almost all banks, pressured by Visa & MasterCard, now contain a clause stating that merchants may only process online using a PCI certified system. After all of this time and all of this touting by you about security, I am honestly shocked to now understand that e-Path has never even been through a PCI audit!

In addition - your comment is COMPLETELY off base when you state "e-path, like fax machines, don't do internet transactions" - this is completely not true! Give me a break... e-Path accepts transaction data FROM the Internet from customers that order.

How can you possibly try to tell the forum here that e-Path does not do Internet transactions when anyone can easily see from the demo and from your comments that it takes order/cardholder data right from the Internet ordering page and then stores it for later retrieval FROM the Internet as well.

Your analogy to a fax machine is also equally out of line. Let's stick to the topic here. My biggest concern at this point for any merchant considering e-Path would be the lack of PCI audit and certification - that should be a warning flag for any gateway.

If indeed they have been PCI audited and certified, then let us know where the entry is on the Visa CISP provider list or where their third party auditor certification letter is.

Oh and by the way... this quote is directly FROM the e-Path Web site:
"The e-Path Credit Card Payment Gateway, or Internet Payment Gateway as it is sometimes called, is a securely hosted credit card payment and receipt page gateway."

So, Jumbuck, this is a self-stated Internet Payment Gateway that "hasn't done one single internet based credit card transaction"???

For goodness sake cdgcommerce, have a read of the mess you've just written.

No, e-Path does not do internet based transactions. Do you know what a credit card transaction is? Seriously do you know?

Next you will say fax machines do credit card transactions. E-Path delivers the info from customer to merchant in exactly the same way fax machine do. E-PATH DOES NOT DO CREDIT CARD TRANSACTIONS ON THE NET OR ANYWHERE ELSE IN EXACTLY THE SAME WAY AS FAX MACHINES DON'T DO CREDIT CARD TRANSACTIONS. The actual processing occurs when the merchant enters the credit card into their merchant account.

I'm afraid you are running around in a huff getting yourself all worked up trying to find something, anything, to support your denial that here is a system that is immeasurably safer and more secure than the typical real time gateway. You don't want to admit it because you are in the business of real time payment gateways, understandable I guess.

But the simple fact is most are totally fed up with the vulnerabilities of a system that has effectively given us the bulk of the multiple hundreds of millions of dollars of fraud every year. People are tired of charge backs and just about everyone loathes the idea that gateways permanently storing credit card and transaction data. E-Path and the many other manual gateway now appearing on the scene should have turned up years ago.

Reminds me of a motor vehicle manufacturer doing his best to convince people that a new 100% electric car is dangerous because it doesn't have the right fuel tank fire protection. Quote all the rules from a different and dangerous system you want. This electric car doesn't have a fuel tank - e-Path doesn't process or transact credit cards on the net and nor do fax machines. It is a very simple fact.

If I was in your position and the new manual super-gateways hit town I too would not exactly be jumping for joy. I mean people's merchant accounts are not needed to be left permanently open on the net for anyone to enter anything they like and credit card data is not permanently stored. I mean these two areas straight off the bat that together account for the bulk of the online fraud today, yet e-Path doesn't do either. No wonder you are so beside yourself.

You will have to at some point accept the fact that things change and in this particular case I do believe they are certainly changing for the better. There is about four hundred million dollars worth of proof every year why the world desperately needed to find an effective alternative to the real time payment gateway system. I concede that manual payment gateways may not the perfect answer, but for banks, online merchants and ordinary credit card holders they are a quantum leap in the right direction.

geezzzz

If you want to quote stuff why not these.....

"[e-Path] An ingenuous lateral approach easing the pressure on the credit industry as they continue the struggle to close security vulnerabilities with card based live transactions over the internet."
David Taylor - Commerce Tomorrow (Monthly Publication)

"Watch e-Path. The disturbing question is why has it taken so long for a model like this to appear?"
William J Newbury - Financial Reviews, Epay World

"One of the first new "manual super-gateways" bred to P.C.I. Consortium standards ... sacrifices the convenience of instant cc internet transaction processing for the sake of improved security. Granted, they [e-Path] do this well but I for one will not be going to a manual system."
Claire McKinley - Enterprise Commercial Quarterly

"We all know high strength 2,048 bit asymmetric cryptography is unbreakable. What is unique is how they [e-Path] have designed their relatively simple non-live online gateway service around it. Clever, but their 'uniqueness' won't last five minutes."
"Professor Byte" - Willmington e-Commerce Advisory Committee

"These new manual super gateways give banks prime leverage to target their merchant banking services to the lucrative entry level virtual business market with new reduced risk."
S. Johnston Jnr - Smith, Johnston and Boverich. Strategic Financials.

"You simply can not get a better way to protect credit card information on the internet than for it not to exist on the internet. E-Path delivers what is shaping up to be an almost annoyingly commonsensical solution to the problem of internet based credit card data security."
Damien Croft - CEO, ComCron

"The challenge with encryption is that older payment systems were not built to support the scrambling technology ... Encryption is the ultimate measure of security.."
Qualys CEO Philippe Courtot, from:
http://news.zdnet.com/2100-1009_22-6072594.html

Hi Knelson,

What's the correct procedures for processing manually. I have a brick and mortar merchant account, but would like to process manually online with a compliant secure card capture. What do you use? I understand E-path has this certain type of gateway, but are their any other options. There's not much information about processing manually. But most importantly, processing manually wiouth breaking any compliancy rules.

As I said previously, I don't discuss my personal solution to this. It's not that I have anything to hide, it's just plain common sense. I will say that I utilize a secure form processing script (yes Jumbuck... with all the encryption bells and whistles you tout) and submit the information through my MO/TO merchant account. My merchant account provider is well aware of my operations, and has no issue with the way I do business.

From what I see and what's been said, E-path is truly not a gateway, as it's normally defined here. They are a secure form processor that stores payment information for later retrieval by the merchant via the net. If they are following all the requirements for "storing" the information, that is a viable way of doing things.

To process manually, from my understanding and others I've consulted with, you only need a secure means of transmitting (not storing) credit card data that is consistant with the requirements set forth by VISA/MC/etc. It is then up to you to manually submit the information for processing through your existing merchant account. Obviously, wherever the credit card information goes for short-term and long-term storage will still have to comply with all the applicable regulations.

Truly manual systems only make financial sense for very very very low volumes. If and when I eventually get a higher level of sales, I will have to switch to a more automated gateway type system to deal with the volume. There is a high level of overhead on the merchant's end with manual systems compared to an automated gateway, which is why you probably don't see more about it - the market is just not there for anyone to really get excited about building a product around it.

I seriously think you're on tilt, Jumbuck. Take a breather, friend. You are making absolutely no sense here and still not addressing one of (the many) core weaknesses of e-Path.

You wrote:
"No, e-Path does not do internet based transactions." and
"e-Path doesn't process or transact credit cards on the net and nor do fax machines. It is a very simple fact."

LOL. So what do you call it when you have a self-described "Internet payment gateway" system (as described on the e-Path Web site!) that puts up a SSL order page ON THE INTERNET, asks a customer for their credit card payment details ON THE INTERNET, gives them a receipt/confirmation ON THE INTERNET and then stores the transaction for later retrieval VIA THE INTERNET.

Hmm... yes. I think that quite clearly qualifies as an INTERNET transaction. It is done on the Internet, it is a transaction. Data flows over the Internet to make it happen.

Can you SERIOUSLY be arguing such an obvious point as this? (Here's a hint: people are not going to take other points of your debate very seriously if you try to make such an outlandish claim as "e-Path does not do Internet transactions")

Besides - the semantics don't even really matter. You call it anything you care to call it. The bigger point IS that Visa and MasterCard require a full on-site PCI audit and certification for ANY 3rd party service system that TOUCHES cardholder data.

e-Path touches cardholder data. Data is received into the e-Path system and servers. As a result, for it to be compliant with PCI - it MUST go through an independent audit process and it should thus be listed on the PCI site or have a certification letter (if it's pending listing).

So enough of the rhetoric on fax machines and automobile manufacturers. I would ask you again for a YES/NO answer on whether e-Path has completed an independent PCI audit but at this point I think the answer is clear.

At least if e-Path were PCI certified you'd have some ground to stand on here but as it stands now, the fact that it is NOT puts merchants at risk UNTIL such a time that is successfully completes a full PCI audit.

Whether or not anyone is in the "pro-manual" or "pro-realtime" camp, the bottom line is that PCI compliance and a successful independent PCI audit for inclusion on the PCI provider directory is a bare minimum requirement for ANY system a merchant contemplates using.

Cdgcommerce, You still don't seem to understand the difference between performing credit card transactions on the actual internet and performing transaction into a manual merchant account. The two are completely different. I'm really sorry but that's just the way it is mate.

The internet is the electronic communication medium used by the manual system, it is NOT where credit card transactions are performed with the manual system.

I'm at a loss to explain it any further, I've used fax machines, electric cars etc, to make it as easy as possible for you to follow but my feeling is if you acknowledge it it would lead you to conclude your arguments simply are not applicable.

Sorry. There is nothing more I can say. My e-Path account I have does not transact credit cards on the internet for me, I transact the cards myself into my merchant account at my bank and to be frank with you there is nothing you can say that changes this. Only I have access into my merchant account - another big advantage the manual system has over the highly vulnerable real time payment gateway system.

Jumbuck, you don't seem to grasp the concept that a transaction that is initiated over the Internet IS indeed an Internet transaction. Where it is later authorized on the bankcard side is quite irrelevant. What path the data travels is the relevant question here and the only one that matters.

There are several indisputable facts here:

1. e-Path is an Internet payment gateway. The company states this on their Web site. Even in your own words, it is a "manual gateway."

2. e-Path touches cardholder data. I don't care if you want to debate semantics and say it is not a transaction, you can't ignore the fact that cardholder data is transmitted into the e-Path system over the Internet. The data goes into e-Path, the data is stored in e-Path, the data comes out from e-Path.

3. Since e-Path is a 3rd party gateway that touches cardholder data, it is required to be PCI compliant and PCI certified by an independent auditor per Visa & MasterCard.

4. E-path is not compliant because it has failed to take these basic steps.

Therefore, merchants who use it subject themselves to potential liabilities with their merchant processors especially if there is ever a compromise. Without having an independent audit done by a qualified auditor, there is no way to verify that everything has been properly addressed.

Don't you think that any merchant who is concerned about security would want to see that such a BASIC step has been taken to ensure the security of the system?

You talk constantly about security, security, security and yet the system that you are touting here hasn't gone through the one REQUIRED step that payment gateways must take PER Visa and MasterCard!

As I said previously, I don't discuss my personal solution to this. It's not that I have anything to hide, it's just plain common sense. I will say that I utilize a secure form processing script (yes Jumbuck... with all the encryption bells and whistles you tout) and submit the information through my MO/TO merchant account. My merchant account provider is well aware of my operations, and has no issue with the way I do business.

From what I see and what's been said, E-path is truly not a gateway, as it's normally defined here. They are a secure form processor that stores payment information for later retrieval by the merchant via the net. If they are following all the requirements for "storing" the information, that is a viable way of doing things.

To process manually, from my understanding and others I've consulted with, you only need a secure means of transmitting (not storing) credit card data that is consistant with the requirements set forth by VISA/MC/etc. It is then up to you to manually submit the information for processing through your existing merchant account. Obviously, wherever the credit card information goes for short-term and long-term storage will still have to comply with all the applicable regulations.

Truly manual systems only make financial sense for very very very low volumes. If and when I eventually get a higher level of sales, I will have to switch to a more automated gateway type system to deal with the volume. There is a high level of overhead on the merchant's end with manual systems compared to an automated gateway, which is why you probably don't see more about it - the market is just not there for anyone to really get excited about building a product around it.
Thanks for your reply knelson, that's exactly what I was looking for. My volumes are super low but my tickets are on the high end. I do software and my clients requested a different method of paying rather than sending in a check/wiring money/cash/faxing order. They asked if they could just pay online. And since I already have a merchant account, I figured processing manually would be the way to go. But I just wanted to see if other people were actually doing it. The only qualm I have with E-path, is that I'm certian it's secure but IMO, it's not the most "intelligent" appliction, (i.e., if you enter XYZ4312 with an exp. date as feburuary 1942, E-path still transacts the info. and there's no "filter" type system that at least tells the customer to enter in at least the right numbers of digits with a exp. date that hasn't already expired.) I know it doen'st process in real time and you can just laugh at the info when you recieve it, but those features should be at least implemented into the application so customers don't laugh when they accidently enter faulty information and have it accepted on my site. So, I'm on my way to building a compliant, "smarter," secure, info. transacting gateway for my manual processing.

Best of luck with your development process on that, Keokie. It sounds like you have a good idea of what you want the end result to be and by developing it yourself you can customize every aspect of it.

On the security side - you can do a lot of things to really lock down the security to help with PCI compliance. Beyond encrypting the data, make sure to segregate your servers to one function each. (i.e. Web or database or firewall but not two or three on the same box).

Make sure to put your database server(s) behind a separate firewall that does not have any customer facing public IP's. Make sure to use encryption for all credit card data and truncate whenever possible. That and make sure you have the latest IDS, virus and o/s/app updates set up on all servers. You will also want to watch out for any programming vulnerabilities like MySQL injection attacks and the like.

And if you do intend to later offer it as a commercial solution - like e-Path - just make sure to build it with all of the PCI guidelines close at hand and then go through the PCI audit process to get it fully certified before releasing it to others.

PCI compliance can be time consuming and expensive but it really is well worth it for any solution.

Best of luck with your development process on that, Keokie. It sounds like you have a good idea of what you want the end result to be and by developing it yourself you can customize every aspect of it.

On the security side - you can do a lot of things to really lock down the security to help with PCI compliance. Beyond encrypting the data, make sure to segregate your servers to one function each. (i.e. Web or database or firewall but not two or three on the same box).

Make sure to put your database server(s) behind a separate firewall that does not have any customer facing public IP's. Make sure to use encryption for all credit card data and truncate whenever possible. That and make sure you have the latest IDS, virus and o/s/app updates set up on all servers. You will also want to watch out for any programming vulnerabilities like MySQL injection attacks and the like.

And if you do intend to later offer it as a commercial solution - like e-Path - just make sure to build it with all of the PCI guidelines close at hand and then go through the PCI audit process to get it fully certified before releasing it to others.

PCI compliance can be time consuming and expensive but it really is well worth it for any solution.


Thanks for the insight/suggestions. Very helpful, indeed! I actually have tons of experience with encryption, server side security and all that fun boring stuff. I do have a great team of engineers/IT staff that will research and do more than needed to fullfil PCI DDS criteria. When I was lookging over e-path, I was just thinking to myself "man, I can make it so much better!" As far as a commercial solution, I can't see it taking off since I have competitors like you and paypal in the market. I wouldn't stand a chance. ;)

Sure thing, glad the info is helpful.

It sounds to me like you have the right team to get it done as well as a good plan. :)

...I do software and my clients requested a different method of paying rather than sending in a check/wiring money/cash/faxing order. They asked if they could just pay online. And since I already have a merchant account, I figured processing manually would be the way to go. ...

Not sure how your merchant account is classified right now, but you will need to be categorized to allow the acceptance of "card not present" transactions if you go this way. If you're not set up as MO/TO currently, you'll most likely have to resubmit an application to your merchant account and get a new account. Different risk factors, different rate structure, etc. Be sure to discuss this with your current provider before spending too much time to make sure they're on board with what you're doing.

thank you to everone again. some wanted to how things go. well i am very happy wth the epath way. i have received six payments so far.
i didn't liked the idea of leaving my merchant account on the net for anybody to enter payments into without me knowing. i think thats about as stupid idea as it gets.
i like being in control of what payments i enter into my mercant account and i REALLY love not having to pay transaction fees. i want to also tell you of any negativesd i have found but i have not come into any yet.
thank you to everyone. i think i was very lucky asking for advice in the beginning on this website.

Hi Cloe,

That's great news. And I'm very happy if I have been of help to you in some way.

Cheers for now

Jumbuck

Is it a coincidence that you and cloe2002 share the same IP?

I'm not too sure how that could be the case because nobody has access to my computer other than me.

But if you can check IP addresses, cdgcommerce suggested that the poster with an identity of "sssimon" and I are the same person in a previous thread. This has also unnerved me. Can you please check the IP addresses on this one too for me.

Thanks

Jumbuck

So - no one has access to your computer except for you but somehow, one of the only other public proponents of e-Path just happens to have been assigned your very same IP?

Interesting...

sssimon is definitely connected to epath.

So now Jumbuck - your IP has been the same as the other "proponent" of e-Path and sssimon is connected to it as well.

Maybe it is time you start respecting the forum TOS. I don't think you are fooling anyone on this forum at this point.

Looky here what I found http://www.htmlforums.com/e-commerce/t-accept-credit-cards-on-website-totally-awesome-system-77772.html.

if you are from canada try www.moneris.com that is from TD and royal bank
but becarfull of your site security

if you dont have major company and have small buget use paypal,
best regards