Offline payment processing without fees

[AllisonF]

Hi,

I am building an OSC site for someone who is insisting he doesn't want a payment gateway. He doesn't want to pay any charges and says his other online shop (I don't know who built this for him) doesn't use one and he has no charges to pay on that one - he says CC numbers are emailed to him vie secure email and he processes them offline, by hand in his office.

 

I had a look at the other site and it uses something called safe2pay.net

 

Is there anything that I can use for OS Commerce that will allow him to process Credit Card numbers offline and won't charge him a fee?

I can see that OSC stores the Credit card numebrs in the Orders section of admin but he will need CVV nos too so I realise you can't store those on a server.

Does anyone have any suggestions please?

Thanks

Allison

[MrPhil]

Your friend is probably going to be in BIG, BIG trouble with his bank when they discover what he's doing. Most merchant accounts issued for brick-and-mortar stores are not supposed to be used for eCommerce (much higher fraud rate is reflected in higher charges). I don't understand his assertion that he pays no fees to process credit cards -- if he has some sort of merchant account, he must be paying fees for it somewhere! Maybe the fees are buried in other charges, or lack of interest on the balance, or are a flat fee for a low-volume operation, but they're in there somewhere.

 

osC comes with a generic credit card module, but the common advice is not to use it -- its security is very poor, and the site will fail any PCI audit. If you want to use a payment gateway and merchant account, you should use a proper one associated with a specific vendor, and follow all the rules. Or, he can use a third-party payment system such as PayPal to handle credit cards, without all the PCI and security hassle.

 

You are putting yourself at financial risk if you implement an insecure payment system for your friend. Defrauded customers, his bank, or he himself could come after you with a lawsuit (that you failed to inform him of the risk, yadda, yadda, yadda). My suggestion would be to steer clear of any such shortcuts. I've never heard of a legitimate outfit that processes credit card transactions for free!

[AllisonF]

Thanks for your advice MrPhil.

I have had a bad feeling about this all along, but I just wanted to make absolutely sure.

I am seeing him tomorrow and he is expecting the site to go live soon but now I have a bit of ammunition so I can tell him his site NEEDS a payment gateway.

I had this argument several times with him but he's not listening. SO frustrating as I need to get the site finished so he can pay me for it!!

 

Thanks again,

Allison

[MrPhil]

I guess you're between the proverbial rock and hard place. Can you get him to at least sign a legal contract that he holds you harmless if his customers or bank come after him for damages due to insecure or fraudulent credit card handling? You warn him in writing that you understand that what he's doing is improper and he takes all responsibility for it. Before springing that on him, express your concern and get him to tell you exactly what's he doing to handle credit cards now. Maybe you misunderstood him? Maybe he doesn't realize he's violating his merchant account agreement? You've got something on him if he refuses to sign, or holds back payment -- you can go to his bank and rat on him. That's the Nuclear Option, but it's possible. I am not a lawyer, so I can't advise you on any specific steps. Just make sure you have some leverage so you can get paid for what work you've done, but don't get yourself in trouble for failing to uphold your end of the contract (refuse to finish the job). Your personal safety has to be considered, too. I suppose you could just keep quiet, do the work he asks for (and get paid), wash your hands of this client, cross your fingers and hope that nothing bad happens to you, and feign ignorance if his bank comes after you. Like I said, you're in an unenviable position. At least with another client, you'll have some knowledge about problem areas.

 

I tried going to the safe2pay.net site, and can't get in to see what it's about. That doesn't give me the warm fuzzies. There are a number of sites which claim to use "Safe2Pay", but they don't say if it's .net or something else.