OT: Virtual terminals

On 27/03/2011 21:47, Justin C wrote: ...

It probably helped that I was changing banks at the time it was set up and HSBC, which has been my personal bank ever since it took over Midland, had been on at me to take my business there for years. However, as you say, 2% is a relatively high rate for card handling through a Merchant account, but it is a lot cheaper than PayPal and it allows me to take telephone orders from new customers who want the goods tomorrow. Of course, if people pay by VISA Debit, Maestro or a couple of other cards, I do much better, as they simply have a fee of 25p per transaction.

...

I had to do it for an online retail business that I sold when I decided almost to retire - the business I have kept on only takes up a few hours a week. It is the reason my web site does not take payments online.

Colin Bignell

Reply to
Nightjar
Loading thread data ...

You might also find that the Ts&Cs forbid you from using such a terminal in a Cardholder Present scenario. In which case you're likely to carry all liability for fraud.

I suppose you could do some silliness like going into the next room and phoning up the customer, but the bank probably wouldn't like that.

Theo

PS. Nothing wrong with a good old VT100 ;-)

Reply to
Theo Markettos

So it bloody well should. Why should the club or it's administrators be able to shirk their responsibilities just because someone paid by credit card?

What about all the people who didn't pay by CC? How does you club handle the "major aggravation" in their case?

MBQ

Reply to
Man at B&Q

The cash customers pay /after/ the event (on the day). It is the advance payments that are made by credit card over the telephone that

*could* are a liability - not that we intend to fold but....
Reply to
Geo

(so, take with a pinch of salt): Peter Thiel, the founder of PayPal, has stated that PayPal is not a bank because it does not engage in fractional-reserve banking.

They may have a license in Luxembourg, but I doubt going to the UK banking ombudsman with a PayPal complaint will get you any further than an invitation to leave.

This is the problem, it likes people to think it's a bank, and is building it's reputation as a financial institution, but it has none of the safeguards and the users of its service are not protected by any of the regulation that protects us when we use a real bank.

I'm not knocking PP, I use it, it's great for ebay transactions, and small online purchases. I just worry that people think it *is* a bank and are not aware that they aren't protected like they are with a real bank.

Justin.

Reply to
Justin C

In article , Nightjar > Another poster mentioned the costs of enhanced security, and security

We don't take online payments either, and we've been careful to scrub our database of customer card details. We used to record them so that (at our customer's request) we could just charge orders and send them. Now we have to phone/email on every order (we deal with the same people week in, week out) and take card details each time. It bugs the hell out of our customers, and is a real PITA. However, fines for non PCI DSS compliance, in the event of your data being compromised start at 20,000 and claims for losses are unlimited.

I don't see us storing the details of +/-500 being less secure than 52 x transmission of 500 card detail per year by telephone, cell-phone, fax or email.

The hoops to jump through for compliance - users having to authenticate and be logged when they access details of *each* card. Secure databases, attack-tested firewalls, Fort Knox style security. And even if you get compliance certification you have to do it all again next year, and they'll move the goalposts so you have to cough up again. And if you get hacked? Well, it's still your fault. Ho ho effing ho. No, I'm not happy. Sorry to burden you with this, sometimes it helps to get it off your chest.

Justin.

Reply to
Justin C

Unless they have changed the rules again since I sold the e-commerce business, there is nothing to keep you from storing the card number, expiry date and customer name in non-electronic form, such as a card index, which is kept secure. That would only need the customer to provide the verification code each time.

My e-commerce business had a software firewall on the ISP's dedicated server, a hardware firewall at the telephone entry point, another software firewall on our own server and the auditors still managed to find a 'potential insecurity' in the system. It took months to track it down to a little-used sub-routine for remotely updating the hardware firewall.

Colin Bignell

Reply to
Nightjar

I may have been zealous in implementation, but if I got it wrong, well, bang goes my cash flow.

And if we've to to call them anyway...

[snip]

It's not just the firewall though, it's the local encryption to stop your staff stealing and selling on the card details[1], password access, and access logging. You either spend a fortune on a customer 'certified' solution, or roll your own and then you still can't get certified as they can't prove what you have is secure enough without spending weeks or months hacking at it at your expense.

I tell you what, you paint that fence, and I'll give you a dozen eggs a week for the next six weeks... plus three chickens if you supply the paint.

Justin.

  1. Because, of course, none of our staff are trustworthy.
Reply to
Justin C

was there a minimum monthly card turnover limit? and what sort of percentage did they want?

Reply to
John Rumm

We have used google checkout in the past for taking the occasional card payment - however they have got quite expensive now for low volume users.

Reply to
John Rumm

...

There is no minimum. I gave them a forecast of my expected annual card use (£8,000 - most of my customers are on account) and a £200 average transaction value, using a history of accepting cards through another Merchant account. They charge me 2% on credit cards and on Visa Electron, or 25p on other debit cards. Based upon that, I got a 24 month contract, at the end of which the terms will be reviewed, primarliy, I am assured, to ensure that I am meeting my forecasts.

The other Merchant account I used charged a minimum of £20 per month, with charges of 1.8% and 25p. However, that was before I split my business and sold off the online retail part, which obviously handled a lot more card transactions.

The bit I have kept is meeting my annual forecast, but it is rather seasonal and it quite possible to go an entire month without a single card transaction, so a monthly minimum would be inconvenient.

As I mentioned elsewhere, I was changing banks at the time and HSBC had been after me to move my business account to them for years.

Colin Bignell

Reply to
Nightjar

goes my cash flow.

I found that customers often liked the fact that we didn't hold any of their card details.

If you put any details through a computer then it does get messy. I used to take all online payments through Sage Pay. Even that needs care as only one of the three options they offer was deemed not to involve sensitive data passing through our computers or the ISP's server. Of course, it was the one system that Magento did not support when we started looking at using it and I had to buy a module from someone in Venezuela.

For telephone orders the details were written down before being entered as CNP transactions through a dial up card machine. As soon as the transaction had gone through, the written details were dropped into a cross-cut shredder. That meant that no critical details (or, indeed any card details beyond the type and last four digits of the card number) ever went into our computers, so we did not have to meet any of the encryption, access or logging requirements.

:-)

Colin Bignell

Reply to
Nightjar

That's significantly better than what they said last time I asked them (although that was a few years back). IIRC it was about £50/month for a PDQ machine alone.

Yup similar case here - may go months without wanting to do card transaction. (still there may be an element of if it were available then it might get used more)

I wonder if the terms are as good for existing customers?

Reply to
John Rumm

Only had one bounced cheque in 5 years, so not too bad.

Reply to
The Medway Handyman

Its a virtual terminal - it doesn't exist.

The idea is its all remote cardholder no present.

I log into my virtual terminal, phone the customer, enter their details into the box on screen & bingo, job done.

Reply to
The Medway Handyman

Do read the caveat from Justin C about the security requirements of the Payment Card Industry Data Security Standard. What you suggest requires sensitive customer data to pass through your computer and that needs very exprensive security.

Colin Bignell

Reply to
Nightjar

I am not so sure that it actually does.

When I read up te stuff it was all about 'steps being taken to ensure' 'beyond reasonable' etc etc.

Nowhere did it say that e.g. a computer offline in a locked room, with a pretty unique password, wasn't enough..

Reply to
The Natural Philosopher

Fail.

If your machine has unencrypted/unmasked card numbers on it, you've already breached the PCIDSS standard.

Reply to
Huge

AIUI the card numbers are never stored on your PC - only Pay Pals.

Reply to
The Medway Handyman

They could however be read by a keylogger (software or hardware) on your PC, which I hope would be a major security consideration. I don't know if such has been found in the wild yet, but a keylogger dongle with embedded wireless/mobile connectivity is technically easy to make. On the back of a PC nobody might notice it for ages.

Nick

Reply to
Nick Leverton

HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.