Web Hosting Talk : Web Hosting Main Forums : Ecommerce Hosting & Discussion : Store Credit Cards?

[johnnyb3]

It's a known fact that storing credit card numbers over the internet isn't a good idea, and your customers are suceptible to having their credit card numbers stolen if your security is weak.

If you do store credit card information on your server, what security precuations do you take? Although I have not yet decided for sure, I think I am going to use a third party merchant like 2checkout.com or paysytems.com in order to handle the billing. I don't like the idea of having so much responsibility with such sensitive information.

Is there a way to have a merchant account, yet not have the credit card # on file? For example on the initial transaction you get a transaction ID or something to reference that client, then when you need to charge them you simply send that ID along with the relevant information.

Just trying to figure out what is best for me to do given my current situation. Any input would be greatly appreciated.

Thanks.

[Corey Bryant]

There are a couple of different solutions. I think that most of the third party solutions though will not allow you to store CC numbers.

You can check out cdgcommerce - I do not recommend them but they are also in this forum. They have one system of storing the CC numbers.

I wished I could recommend another company but it is against the TOS of WHT to do so. If you are processing over $1,000 a month - get your own merchant account. If you are doing recurring billing - most gateways provide this. if they charge extra for this - run & find a gateway that does not charge extra.

[4Hosted]

Hi Johnny,

2Checkout supports recurring billing, which simply means the customers signs up for your service and get billed monthly by 2checkout, the funds are then put into your 2checkout account ready for your wire transfer or however you get your payments to yourself.

Best thing about this type of service is that you have no need to ever see or store the customers credit card details as 2checkout do this for you.

Good luck!

[cdgcommerce]

I would advise against storing credit card numbers on your server - it exposes you unnecessarily to various liabilities and business risks.

As Corey mentioned, there are gateways that provide recurring billing for you at no additional cost so you may want to consider those as an option.

There are many ways to handle recurring billing that do not require the local storage of cards and so I'd suggest pursuing some alternatives to that end.

[Mark_TVI]

I may be wrong here but I think the Credit Card companies have strict guidelines that must be adhered to when storing numbers for recurring billing. I'd be very careful going down that path.

I can recommend cdgcommerce for you to look at, I've been using them for a little while now. They have a few different solutions, one of which will most likely be able to fit your exact needs....

[johnnyb3]

You seemed to miss my point. I don't want to store credit card numbers on my server. My question is if there is any way to have a merchant account and have them store the data on the gateway's server, or something that would allow me to transact without storing their number.

[Corey Bryant]

Yes there are ways to store them on either the gateway or another secure server to be accessed by your application.

[johnnyb3]

Thanks for your responses .

Do you know a gateway that supports this? Right now I have e-onlinedata + authorize but I'm not quite sure they have anything setup like this.

I jsut want to have the merchant account without the liabilty of having to store credit card information.

[cdgcommerce]

There are a number of gateways that support the remote storage of credit card numbers that are CISP-compliant and which also provide recurring billing functionality.

Specifically, Authorize.Net, eProcessingNetwork and Plug-N-Pay are three such options and there are also others as well which other different options with respect to the same.

Any of those options or some of the other ones mentioned in this and other forum threads will allow you to securely process your credit card transactions without any requirement whatsoever to maintain or store credit card data yourself.

[stdunbar]

Quote:

There are a number of gateways that support the remote storage of credit card numbers that are CISP-compliant and which also provide recurring billing functionality.

Where can I learn more about this kind of thing? Merchant Accounts 4 Less doesn't have docs for their API online. I've dug through the API for authorize.net and don't see how to do this. They seem to always want the CC number.

I'd assume that you need to exchange some key with the provider and you give them that instead of the CC.

Do returning customers tend to get upset when they have to reenter the same CC information? I know that part of me likes it when they already know it but the paranoid part of me doesn't.

I had been going down the path of an elaborate encryption system to store CC numbers in my database. I'm beginning to rethink that but haven't come up with an acceptable solution.

Any thoughts or feedback would be most welcome.

[Corey Bryant]

Check out: http://www.linkpoint.com/internet_home/index.html for the documents that you require. LinkPoint will set you up with a test store if need be.

The way that my programmer explained it - you need an account with authorizenet.com to do any type of testing. Fortunately, we knew someone that was willing to give us her user name / passwords to make sure we were connected with them.

The members that we have right now - about 45% store their CC numbers. The others enter them in when they come in. This number is up by about 5& within the last month actually

[brevig]

Quote:

Originally posted by johnnyb3
Thanks for your responses .

Do you know a gateway that supports this? Right now I have e-onlinedata + authorize but I'm not quite sure they have anything setup like this.

I jsut want to have the merchant account without the liabilty of having to store credit card information.

CDGcommerce has CDGvault. It will do *exactly* what you want. You pass the credit card info onto it, and it retains it for you, off your servers. You can reference the card later on their database by using a unique identifier. This way, you have the ability to store cards remotely and still charge them later.

I, for some reason, feel very strongly about this. Our board of directors spent much time in discussion as to how to process credit cards and maintain regulatory compliance (as in, we didn't want to store the credit cards on our servers).

Finding CDGcommerce and CDGvault has been a very happy moment in my life, seriously.

It would not be right, though, if I did not state the following: I believe both corybryant, as well as CDGcommerce, offer similar soluctions to what you need (CDGcommerce being CDGvault). Because of WHT rules, they aren't exactly able to come out and say "Yes! I have what you need!". I would suggest contacting both companies away from the board and they can assist you further. I, personally, have only dealt with CDGcommerce and have enjoyed my experience thus far.

Richard

[brevig]

Quote:

Originally posted by stdunbar
Where can I learn more about this kind of thing?

Contact coreybryant or CDGcommerce off the board.

Quote:

I've dug through the API for authorize.net and don't see how to do this.

To the best of my knowledge, they do not support what you desire.

Quote:

I'd assume that you need to exchange some key with the provider and you give them that instead of the CC.

This is correct.

Quote:

Do returning customers tend to get upset when they have to reenter the same CC information?

I personally find it annoying. Wouldn't you be annoyed if you had to enter your CC info every time you went to order a book from Amazon?

Quote:

I had been going down the path of an elaborate encryption system to store CC numbers in my database. I'm beginning to rethink that but haven't come up with an acceptable solution.

Don't store the info on your server, use a remote system.

ELSE:

I don't believe LinkPoint would adequately do the remote storage as described, and as I would desire myself. The closest I could find was:

"LinkPoint API allows your merchants to create a recurring billing system for memberships, subscriptions and other periodic billing purposes"

Recurring billing and remote CC storage are 100% different. I may have missed something somewhere else on the site, however.

Richard

[johnnyb3]

Just noticed Authorize.net's Automated Recurring Billing feature, which seems to fit my needs pretty well (they store the credit cards and bill the client regularly). I will also look into the other services you mentioned.

Thanks.

[Corey Bryant]

Most gateways support recurring billing - which is different than storing the CCs.
One thing - recurring billing should be free. Do not pay extra for this service.