Credit Card Processing

I agree with the last post, whatever it may say.

As for the discussion, US or UK or AU… it doesn’t matter. Storing unencrypted CC details is a no-no. Even storing them encrypted opens you up to potential issues.

This is one of those cases where an SSL certificate simply isn’t any measure of shopping safety, because people like the OP want to go around storing your CC details in clear text on a relatively open DB.

For crying out loud, life isn’t just about YOUR money. People looking to sell online *need* to do it properly.

But .. I did find this:
https://www.instinct.co.nz/e-commerce/

It uses payment gateways other than PayPal..

Right now, the WP-ecommerce plugin (in link quoted above) seems to be the best game in town. It has some nice features, but it’s also a bit cludgy. They have support forums on their site, but it often seems that most questions go unanswered.

They sell commercial versions of the plugin (~$15, with some extra features) and offer (rather expensive) paid support.

It is set up to use PayPal as a gateway, which is really just fine for most small business purposes, because a customer does not need to be a PayPal member to purchase through the gateway — PayPal will accept payments through all of the major credit cards.

The great advantage is that you don’t have to have the huge responsibility and security headache of storing anyone’s financial data in your own database. (Regardless of the legality of doing that — as discussed above — it would be a very stupid thing to do unless you truly knew what you were doing.)

The paid version of WP-ecommerce also has an API thingy for some direct credit card gateways.

This is a pretty complex plugin — more of a mini-application — and the development of the plugin has seemed somewhat unfocused IMO — because, I suspect, they are trying to make this into a viable commercial enterprise and having difficulty allocating their efforts to both the free version and the paid version. That’s just my opinion, however.

Personally, I hope they keep they developing it because it works (mostly) well, and is very promising on the whole. Plus there’s not much competition at this point, so…

Anyway, I think this is what you are looking for.

EDIT: Ah, damn, all that typing and you clearly state that you don’t want a solution that uses PayPal or authorize.net. All right, well, maybe my blather above will be useful to someone looking for similar info, so I’ll just let it stand.

What’s wrong with PayPal? As long as your customer gets his money, what’s the difference? PayPal makes sense because it is trusted and very popular (at least here in the U.S.).

There’s a lot of collective knowledge here in this forum; people would do well to listen to it once in awhile, even if it’s not what they want to hear.

paypal has an air of unprofessionalism about it. It’s strong association with ebay makes it seem like the choice of back-yard flea market hockers everywhere.

… and it is.

it also dilutes your brand and does nothing to mask the fact that you’re offloading your payment processing to a 3rd party. This isn’t trivial to people who are less familiar with what paypal does. All of a sudden they find themselves on another website at the absolute worst moment — when it’s time to hand over their money.

Up to that point they’ve made the decision to trust YOU, now they have to make the decision to trust paypal, and with ebay scams getting so much bad press, only the savvy can be trusted to differentiate.

Beyond that, using paypal absolutely screams “I don’t make enough sales to warrant a better payment gateway” — Is that the message you want to be sending?

It’s not paypal’s fault (except for the huge per-transaction fees)… it’s just a symptom of being the people’s choice at the grass-roots level. Sometimes a little exclusivity and obscurity is a good thing.

You callin me a backyard flea market ho? ??

I never thought of it that way, but for some folks it is a decent solution. And that includes me. But that might be because I’m here in the land of the crass capitalist piggy. And yes, I’ve heard the horror stories of having a bank account linked to PayPal only to find all your money gone and your account frozen because PayPal thought you were somehow playing fast and loose. Maybe I’ve just been fortunate all these years.

But don’t sheeple tend to distrust obscure things?

There’s a great whitepaper here that discusses (from the view of a non profit with a limited budget and an obvious goal of fundraising) various online payment options. Worth a read if you truly want to break away from PayPal. The site requires registration, but other than that, the PDF file (which contains some good although slightly dated info) is free to download.
https://www.idealware.org/donations/

LOL, I would never say such a thing… except while naked.

I love the term sheeple, and I think that sheeple trust men in white coats mostly because they don’t have their own white coat. If they did, they might see through the prestiege and even let a certain amount of familiarity=contempt creep into the equation.

Paypal is so familiar and so reachable to pretty much everyone, that when it comes to running a professonal site, the impression is that if I can sell using paypal on ebay, you using paypal on your website means you’re not much better at this stuff than I am.

It might be subtle psychology and not hugely relevant to the actual transaction, but subtle psychology makes sales — and repeat sales.

Anyway, it has little to do with the bad press for me, and more to do with the branding. I don’t want my customers to “leave” my site to have their payment processed. If paypal ever offer the ability to upload a css file I think it will shift my opinion.

…at that point, even if it has a big honking paypal logo on it, you look more like a paypal partner, than some schmuck selling $3 taiwanese ipod covers.

I’ve rambled on again without really addressing the question… but yeah, I actually do feel like sheeple trust obscure things more than they do familiar ones, precisely because they know their own knowledge/skill level is hugely lacking.

If they know about it, it must be crap, because there’s so much they don’t know.

sorry for bringing up this month old post but you mentioned:

It’s not paypal’s fault (except for the huge per-transaction fees)… it’s just a symptom of being the people’s choice at the grass-roots level.

I don’t see their fees as much different then any other payment processor out there. I use both ECHO and Paypal, ECHO is 2.5%+.$.30 where Paypal is 2.9%+$.30 (both for non swiped, also Paypal doesn’t charge me a $5 monthly fee like ECHO). So that would be a difference of $.40 for a $100 purchase, not much to worry about IMO.

I do not know the laws of individual countries however I doubt there are specific laws dealing with storage of credit card data – laws are written to be much less specific…

That said what most people are more likely referring to is use agreements, just like a EULA. To accept Visa/MasterCard for instance you must accept their merchant agreements which dictate certain security requirements depending on your level of integration. Businesses like PayPal and Protx have a much higher level of security certification to actually store card details…

… On behalf of businesses using them. If you use a shopping cart or follow the APIs to accept card details then process them using PayPal/Protx you cannot store the card details yourself (except excerpts to help returning customers identify one versus another). You don’t need to.

When a transaction reports successful you generally receive a receipt. Store the receipt against the customer’s details. You are often then allowed to pass subsequent transactions back to the gateway (PayPal/Protx) with the original reference to bill that card.

There really is no need to store full card data any more. Last four digits of card number plus expiry month/year are normally sufficient.

Everyone wants to make a buck. Some off the backs of others. That’s free enterprise. People have been sold on the idea of, ” You must have a web Presence”. At any rate, Get a real site. Call Discover, American Express, Visa. If there is money to be made. Do it right. It will take days/weeks to set everything up.
Why would you want to store information? It makes you liable.
Get a ssl, from your host, not some cheezy shared one and do business. Be honest. It will cost.
Get a real website.
I recently downloaded wp shopping cart, and hats off. it works great.
The difference between VPASP or some other site cart on a website and a WordPress blog, well…
I love WordPress. It brings it down to the common man. Kinda like FrontPage. And It creates a market.
Anyway,,,,,,,,,, you decide.
Spend some money and time. (Theirs.)

If you have a proper e-commerce environment (which WP is not, although I guess you could do enough coding to make it like one, but by the time you do all that work oscommerce would be looking better and better), configure it (and the server it’s on) properly, and then use it to pass the CC info DIRECT to your gateway (which your merchant bank set you up with):

a) your security risks are greatly minimized.
b) your store doesn’t need to store the CC info (you’re just responsible for sending it securely back and forth from the customer to the gateway)
c) you can still view your customer’s CC info if need be (to handle a repeat sale over the phone or e-mail if they just say “use the card I used last time”, for example) by logging into your gateway account. No, you won’t have the CVV2, because not even a gateway provider is going to store that (it’s expressly forbidden by the card company’s rules).

Gary

From a consumer pov (since I really haven’t ever setup an e-commerce site) I’m often always glad to read that sites accept Paypal.

Why?

Because there are some shops I will only purchase from once, and I would feel even a slight twinge of concern to know that they had my card details, even though I do trust them enough with my delivery details, who knows really? That’s where Paypal – as the middle-man – comes in, I know that these stores will only receive my payment, and won’t have access to my card details.

It’s relatively easy to semi-integrate e-commercetemplates with WP

Professional e commerce cart, you then have the benefit of front end being WP for search engines and for users.

The cart on its own is functional, and there are endless stores using it – if you’re browsing the web and find a square box in the middle of an index page then that’s ecommerecetemplates, usually going nowhere as there’s not enough content and not enough relationship with the customers

But the combination of WP and ECT is brilliant

Regarding PayPal – I use it to shop online – anywhere and everywhere. I like having guarantees on my purchases, what can I say?

And so many people use Paypal that a merchant would be foolish not to offer it as a payment choice.

Just my $2.00 on the matter! ??

As a credit card processing partner, I can tell you that Visa/MC are requiring PCI compliance and will actually certify that your site meets minimum requirements before issuing a merchant account.

Matt Kettlewell
https://www.kettlewell.net

i rarely say anything, but have to throw my two cents in, since my job requires me to be trained in PCI DSS.

it is funny to hear people making up facts, as well as funny to hear others spout back scanting raves on what the believe to be the law also.

there is no law, as of this writing, that governs the storage of credit card information. the PCI is an independent council of credit card companies. they have guidlines and restrictions. when you sign up to do business with them, you agree to their guidlines and restrictions. but this is not a law. this is a business agreement, between one entity and the PCI. as part of the agreement, you agree to abide by certain guidelines and restrictions, and failing to do so, you agree to accept fines imposed by this independent council. this is not the same as legal fines. they do not have that power or authority. they cannot imprison you or anything. they can make it difficult for you to ever be able to process any form of payment in the future, ever again. but legally, they cannot do anything. you willfully agree to their terms.

if i wanted to store credit card information of people who willfully and knowlinly provided it to me, and never send it for processing, then there is nothing anyone can do, as far as PCI goes. they can’t fine me, they can’t sue me, i’ve never signed an agreement with them. i’m simply storing information that has been willfully and knowingly given to me. there may be other ramifications, but we will ignore that for now. the issue is whether PCI DSS is a law. no it is not a law it is a standard.

in the future, please read all relevant information before blasting someone. or if you don’t fully understand it, just refrain from saying anything. it’s awfully silly to make up lawas that don’t exist.