Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

I want credit card info sent to my email


jsmith2

Recommended Posts

Read This .. before deciding to collect cc info online with the purpose of doing manual processing after.
Link to comment
Share on other sites

You're in violation of your POS agreement with the card companies. For online transactions you must have an Internet Merchant ID or a bank account with someone like HSBC or Barclays and use their online payment system.

 

If the card companies find out what you are doing then you'll get a visit from a man in a grey suit who will walk away with your POS terminal - and you won't get it back!

 

Vger

Link to comment
Share on other sites

I own my POS terminal, lock, stock and barrel. Didn't even buy it from the card processor. No man in a gray suit is going to come and see me. I think that's carrying the scare factor too far.

Link to comment
Share on other sites

  • 3 weeks later...
I own my POS terminal, lock, stock and barrel. Didn't even buy it from the card processor. No man in a gray suit is going to come and see me. I think that's carrying the scare factor too far.

 

You are putting your customers at risk and your merchant account will be suspended if they find out how you are getting cc numbers. Do you really want to do that? The POS is incidental....it's the merchant account you need to fear losing.

 

I'd just go through paypal or google if you need them to email you their cc numbers.

Link to comment
Share on other sites

Joe you are missing the point about the credit card numbers.

 

IT IS AGAINST THE LAW TO HAVE YOUR CUSTOMERS CREDIT CARD NUMBERS IN SEQUENCE ON YOUR WEBSITE IN ADMIN OR IN AN EMAIL.

 

It does not matter if you own your terminal you will not only loose it but all the money you have and will have now and in the future.

Link to comment
Share on other sites

Joe you are missing the point about the credit card numbers.

 

IT IS AGAINST THE LAW TO HAVE YOUR CUSTOMERS CREDIT CARD NUMBERS IN SEQUENCE ON YOUR WEBSITE IN ADMIN OR IN AN EMAIL.

 

It does not matter if you own your terminal you will not only loose it but all the money you have and will have now and in the future.

 

Tell me the statue in state or federal law that makes that "AGAINST THE LAW". Please cite the law, state or federal, that states: "you will not only loose it but all the money you have and will have now and in the future".

 

I am afraid you are over reacting to something that you are not well versed in.

Link to comment
Share on other sites

Sending CC info by email is not PCI compliant, and here are some info what might happen if you do so...

 

 

What Happens If My Business Does Not Become PCI Compliant?

 

PCI Compliance is a requirement of your contract with the credit card companies. If you do not make your business PCI compliant, you are in violation of your contract. The credit card companies can take the following actions if your business does not abide by the security standards.

 

* Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.

* You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.

* If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.

* Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.

Link to comment
Share on other sites

Exactly! Far from being against the law it is only contrary to your agreement with your card processor "PCI Compliance is a requirement of your contract". They can charge you whatever your contract calls for but the real intention is to take your merchant account away from you and that is what they will settle for. Besides they would never prevail in collecting damages in a court of law. I have been PCI complaint for many years. There is an on going and continual review of practices and testing of systems by the security company. If a problem is found they have always been very easy to correct.

 

I can't find a case where a company was fined by there processor and they actually paid the fine. If anyone can document a case like that I would sure like to hear about it and see the literature.

 

Sending CC info by email is not PCI compliant, and here are some info what might happen if you do so...

 

What Happens If My Business Does Not Become PCI Compliant?

 

PCI Compliance is a requirement of your contract with the credit card companies. If you do not make your business PCI compliant, you are in violation of your contract. The credit card companies can take the following actions if your business does not abide by the security standards.

 

* Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.

* You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.

* If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.

* Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.

Link to comment
Share on other sites

Exactly! Far from being against the law it is only contrary to your agreement with your card processor "PCI Compliance is a requirement of your contract". They can charge you whatever your contract calls for but the real intention is to take your merchant account away from you and that is what they will settle for. Besides they would never prevail in collecting damages in a court of law. I have been PCI complaint for many years. There is an on going and continual review of practices and testing of systems by the security company. If a problem is found they have always been very easy to correct.

 

I can't find a case where a company was fined by there processor and they actually paid the fine. If anyone can document a case like that I would sure like to hear about it and see the literature.

 

Use google and you will find several document cases.

Link to comment
Share on other sites

Use google and you will find several document cases.

I did and I couldn't. I have tried many search terms and combinations of words but I never could come up with anything concrete and relevant. Lots of threats but never a documented case.

Link to comment
Share on other sites

Hi Joseph,

 

When I started into the idea of having an online store (to supplement the business I already had) I was in the same position as you - thought I would gather the CC#s somehow via the website (server, e-mail, whatever worked) and submit them through the IVR (telephone) account we already had for credit cards.

 

NOT! I learned better very quickly, with the help of some of the people who have been posting to your question.

 

Laws and possible scare tactics aside, you have a duty of care to your customers not to risk the security of their personal information, including cc#s. They trust you when they give it to you.

 

You are breaching that trust if you let the information reside on an unsecured web server, even for an instant. You are breaching that trust if you transmit it by e-mail (no present e-mail "encryption" is secure enough). I had the clever idea of having 8 digits land on my server, and 8 digits come in my email, but learned that that was no solution either - because if a hacker invaded my site, he or she could also hijack my email - and thus have both pieces.

 

One web designer posted that he had designed an osCommerce site for a customer who wanted this very arrangement - and then she experienced a week when no orders came. She thought there was something wrong with her site, but no - it had been invaded, and all her customers' data from that week stolen.

 

In short, as inconvenient as it is, you must make proper arrangements to have a secure site - SSL for certain - an e-commerce account with your financial services provider - and possibly (your service provider will tell you) completing the "long" questionnaire and having a remote system scan for PCI compliance. I've been through it all in the last month and it went smoothly.

 

Good luck to you,

~Wendy

Link to comment
Share on other sites

Let me jump in pleeeese I want to do the same thing except I only want to collect names, addresses, all the info except cc info. That is collected in a confirmation I must make to customers anyways because most of my items are too large for ups and need a freight quote. No module will do what i need. Shipping from 4 locations. How do I set it to collect the info including a call back number and then tell them we will call back to privide them with shipping costs and collect the cc info.

 

The bank the merchant people know I collect numbers on the phone and Im in total complience. You just never store numbers at all keep hard copies the time period they allow I think its a week. I pay a higher rate dudes because Im a phone - mail order.

 

So could someone answer the question please how do you set up to not collect cc info and skip the gateway auth. I too own a terminal and print out invoices with only the last 4 numbers of the cc

 

 

Thanks in advance Tony

Link to comment
Share on other sites

Let me jump in pleeeese I want to do the same thing except I only want to collect names, addresses, all the info except cc info. That is collected in a confirmation I must make to customers anyways because most of my items are too large for ups and need a freight quote. No module will do what i need. Shipping from 4 locations. How do I set it to collect the info including a call back number and then tell them we will call back to privide them with shipping costs and collect the cc info.

 

The bank the merchant people know I collect numbers on the phone and Im in total complience. You just never store numbers at all keep hard copies the time period they allow I think its a week. I pay a higher rate dudes because Im a phone - mail order.

 

So could someone answer the question please how do you set up to not collect cc info and skip the gateway auth. I too own a terminal and print out invoices with only the last 4 numbers of the cc

 

 

Thanks in advance Tony

 

 

There are some different modules available in the contributions section including this one...

Link to comment
Share on other sites

Hi Joseph,

you have a duty of care to your customers not to risk the security of their personal information, including cc#s. They trust you when they give it to you.

 

You are breaching that trust if you let the information reside on an unsecured web server

~Wendy

 

It's obvious you did not throughly read my previous postings. Nevertheless, thank you for what I am sure is your well intentioned opinion.

Link to comment
Share on other sites

I did and I couldn't. I have tried many search terms and combinations of words but I never could come up with anything concrete and relevant. Lots of threats but never a documented case.

 

You can start of by checking out info about TJX and its data breach...

Link to comment
Share on other sites

You can start of by checking out info about TJX and its data breach..

 

Yes, I know about that one. No one was indicted for a crime however and TJX wasn't fined anything. They did reach a monetary settlement, approved by the FTC, with the processing banks in which they admitted to no wrongdoing and created a fund to compensate the processors for a negotiated portion of their expenses. (It's interesting to note that TJX wasn't PCI compliant and now they must maintain compliance.)

 

That's far from the unrealistic doomsday predictions of some we hear from some: "If the card companies find out what you are doing then you'll get a visit from a man in a grey suit who will walk away with your POS terminal - and you won't get it back!" "account will be suspended if they find out how you are getting cc numbers" "It does not matter if you own your terminal you will not only loose it but all the money you have and will have now and in the future."

 

That's why I have maintained my PCI compliance for many years now and never had a problem. The point of the whole exercise being, if done correctly you don't need a third party processor. Most people pushing that solution are doing so to earn a referral fee which can be in the hundreds of dollars per successful referral. It's just another racket that breeds on "want to be" merchant's fears and ignorance.

Link to comment
Share on other sites

That's why I have maintained my PCI compliance for many years now and never had a problem. The point of the whole exercise being, if done correctly you don't need a third party processor. Most people pushing that solution are doing so to earn a referral fee which can be in the hundreds of dollars per successful referral. It's just another racket that breeds on "want to be" merchant's fears and ignorance.

 

If you are PCI compliant, storing cc info is no problem.

 

The problem is that most of the "posters" in this forum who want to store and/or have cc info are not PCI compliant and secondly they are not interested in spending the time and/or the money required to be PCI compliant.

 

Most are on shared hosting accounts which makes it close to impossible to be PCI compliant in regards to storing cc numbers.

 

Also its worth to mention that even if someone is PCI compliant they are not alowed to store the CVV/CVV2/3 digit security code.

Link to comment
Share on other sites

If you are PCI compliant, storing cc info is no problem.

 

The problem is that most of the "posters" in this forum who want to store and/or have cc info are not PCI compliant and secondly they are not interested in spending the time and/or the money required to be PCI compliant.

 

Most are on shared hosting accounts which makes it close to impossible to be PCI compliant in regards to storing cc numbers.

 

Also its worth to mention that even if someone is PCI compliant they are not alowed to store the CVV/CVV2/3 digit security code.

 

Correct! I am in full agreement with your posting.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...