e-Commerce Talk Forums Australia

wow first in this forum. nice.

i have a merchant account and want to activate my zen carts inbuilt credit card module for offline processing of credit cards. i am a bit hesitant because of the new pci rules. has anyone got the drum on this? is it allowed?

Thanks

It is my understanding that the only offline credit card processing systems available right now which are authorised by the new PCI-DSS legislations are http://e-path.com.au

(BTW: other than being a very satisfied customer of E-Path I am not at all financially entwined with either of these businesses)

thanks for the tip bio-dex. my bank has said no to this sort of way before but i will try again with that epath.

simon

I am glad that I could be of some meagre assistance. If you need any further help please feel free to give me a call

Just read this thread. Very interesting. Thanks for the heads up Biodex, sounds promising.

Thanks again

Nigel

My pleasure mate.

As always, if you have any further questions I would be most happy to chat with you about them.

sime26 wrote:i have a merchant account and want to activate my zen carts inbuilt credit card module for offline processing of credit cards. i am a bit hesitant because of the new pci rules. has anyone got the drum on this? is it allowed?

mate, don't even think about this without your site being PCI compliant. You CAN NOT store credit card details without your site being PCI compliant. Its so illegal its not funny and you will get hammered if you get caught.

way to go.

i checked with my bank and everyone is right about the rules. i am not allowed to do this without using a proper pci approved way.

they gave e-Path mob the thumbs up - the only manual way they approve.

thanks bio

Our pleasure

Let us know how you get on with E-Path.

hey Bio-Dex. What is your deal with advertising epath and payecom in every second posting of yours???

Do you have shares in them or something?

The thread of this conversation is about E-Path Micky, therefore it is ON TOPIC to be discussing it. And as he has said that he is going to be going and talking to them, I am interested to see how his experiences goes and what impact it has on his online business.

Just curious, at the end of the day how do you process the credit card payments? Do you get the card details from the offline gateway and punch them through the EFTPOS device?

Generally that is the plan yes.

I thought banks don't like this. I knew one bank asking all their merchants who are processing card-not-present transactions only through the EFTPOS, to apply for real-time gateway, because, even if the card details are stored in a PCI Compliant gateway, they are exposed to the merchant and their employees.

Also, in merchant's point of view, why process the transaction manually, when there is an option of automating it.

If you want to vet the orders and check them (if the stock is available or the order is genuine) before processing then there is point in storing the card details and storing them manually. Even for this you can use some technique called triggered payment.

duk wrote:I thought banks don't like this. I knew one bank asking all their merchants who are processing card-not-present transactions only through the EFTPOS, to apply for real-time gateway, because, even if the card details are stored in a PCI Compliant gateway, they are exposed to the merchant and their employees.

The vast majority of credit card theft comes from the interent. Hackers are getting good.

But when stuff is not stored online then its got to be safer, like when you hand your card to the restarant owner. Not much of a risk when its with the shop or restaurant owner, but a huge risk if your credit card details are permanently stored online.

I thnk people prefer to put their credit card details with the merchant account owner instead of it being permanently stored online in some online payment gateway's systems even when it is PCI compliant. PCI compliance is no guarantee of protection. The largest breach in e-commerce history where tens of milions of credit cards were stolen was from a PCI compliant real time payment gateway processor:

Check out: Heartland data breach proves PCI compliance is not enough

duk wrote:Also, in merchant's point of view, why process the transaction manually, when there is an option of automating it.

To easily identify when a fake transaction is attempted then to delete it so it doesn't get passed first base. So to answer your question, its all about preventing fraud and saving yourself from what could be huge cost.

There'as also a lot of people out there that don't want orders and credit cards charged online right away without them knowing about it. Some business owners like to have control. I do.

But I agree with you for businesses doing hgh transaction numbers a day. The real time system's automation is the only way to go.

duk wrote:If you want to vet the orders and check them (if the stock is available or the order is genuine) before processing then there is point in storing the card details and storing them manually. Even for this you can use some technique called triggered payment.

So the triggered payment technique sounds like its doing little more than emulating the manual payment gateway anyway, except that a manual payment gateway is a fair bit cheaper and you are not letting your customers credit card and identity details be permanently stored online in some online payment gateway's storage device. I know you will disagreee but stopping sensitive credit card and identity data from being stored online and removing it away from all the hackers and cyber-crooks I believe is a massive security advantage.

Over these last two weeks I've looked into things heaps, mainly because of what I've been reading about the new PCI DSS. And from where I stand if you are serious about protecting yourself and your cardholders then the manual payment gateways are the only way to go.

mAx

Have to agree with Max210 on this one.

Doing things manually gives a huge advantage in stopping credit card fraud which can save the average business a mint. But I can see how some banks may not be happy about their merchants not becoming victims of fraud because they won't be able to charge them charge back fees.

Things look like to be changing now. The average business is fed up with money being taken out of their account because the automatic online charge done the week before through their real time gateway now suddenly turns out was a fraudulent one. I think doing things manually has some real advantages.

To suggest banks are deliberately trying to continue earning charge back fees is about the most stupidest thing I have heard.

I happen to know a little about this and I can tell you you are WRONG. Some banks are still coming to grips with these new manual payment gateways. There is nothing sinister about it. They are new so what do you expect.

A bank has a vested interest in lowering its exposure to risk when supplying merchant account services and it so happens the manual gateway method is starting to be recognised as a viable solution in helping to lower risk FRACTIONALLY - It is NOT a "fantastic magic bullet" solution to ending fraud as some of you think. You are still dealing with card not present transaction risks, nothing changes that.

But to say banks are deliberately trying to protect charge back revenue is one of the most intellectually inept comments I have heard in a long time.

Thank you

Hey Bio Dex - since you are such an active participant here and you provided contact details just had a look at your website. How come so many of your pages including contact page don't work or don't have any info on them. Looks rather shonky ! Perhaps you should spend less time on this forum and more time on the "mission critical" tasks your site referred to.

The reason for that is the site to which you were pointed is actively under reconstruction right now. As in while we speak.

But thankyou for pointing out that we had forgotten to reset the "site offline due to maintenance" setting.

Mal wrote:To suggest banks are deliberately trying to continue earning charge back fees is about the most stupidest thing I have heard.

I happen to know a little about this and I can tell you you are WRONG. Some banks are still coming to grips with these new manual payment gateways. There is nothing sinister about it. They are new so what do you expect.

A bank has a vested interest in lowering its exposure to risk when supplying merchant account services and it so happens the manual gateway method is starting to be recognised as a viable solution in helping to lower risk FRACTIONALLY - It is NOT a "fantastic magic bullet" solution to ending fraud as some of you think. You are still dealing with card not present transaction risks, nothing changes that.

But to say banks are deliberately trying to protect charge back revenue is one of the most intellectually inept comments I have heard in a long time.

Thank you

Nice explanation but for me if something comes along and the result is you can completely eliminate fraud - and stop yourself from ever experience financial loss because of fraud, then if that's not a magic bullet I'd like to know what is???

Max210