SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Member
    Join Date
    Sep 2012
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Can Credit Card Numbers Be Electronically Transferred?

    Can Credit Card Numbers Be Electronically Transferred? well... i know it's possible. Is it legal and acceptable? If so... what security measures are required or recommended? I'm working with an Amish fellow who wants to sell his goods online. However, he does not want orders processed online. He wants the orders to be sent to him through an Email to Fax program. Orders will then be placed manually.

    Any advice?

  2. #2
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,615
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Tussy View Post
    However, he does not want orders processed online. He wants the orders to be sent to him through an Email to Fax program. Orders will then be placed manually.

    Any advice?
    Email and fax are inherently insecure for transmitting credit card numbers.

    If you process credit card numbers, you will have to be PCI compliant.

    http://en.wikipedia.org/wiki/Payment...urity_Standard
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    SitePoint Wizard silver trophy
    Join Date
    Aug 2003
    Location
    Southern California
    Posts
    4,686
    Mentioned
    19 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Email and fax are inherently insecure for transmitting credit card numbers.

    If you process credit card numbers, you will have to be PCI compliant.

    http://en.wikipedia.org/wiki/Payment...urity_Standard
    Put simply it is simply insane to store cards locally unless the business has significant volume and a very special need.

    Even forgetting PCI, merchant providers still require an internet order be run as such... no thumbing it in to a POS system.
    - Ted S

  4. #4
    SitePoint Member
    Join Date
    Sep 2012
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's pretty much what i expected. Improper PCI-DSS could result in fines as well as a loss of merchant account. The fellow seems pretty determined to manage his sales this way. While i can advise against it. If it comes to losing the account; Will i personally be penalized for setting him up?

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Tussy View Post
    Will i personally be penalized for setting him up?
    If he takes you to court to try to recover some of the huge amount it eventually costs him then even though you will probably win you will still end up having to pay quite a bit in legal fees. Best not to help someone do something illegal like that in the first place.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    SitePoint Member
    Join Date
    Sep 2012
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ah... so is it illegal? If it's bad practice that's one thing... if it's illegal that's another.

    perhaps the most ethical and mutually beneficial solution may be... to work out an arrangement where i manage the e-commerce aspect of his business... i could setup and use my own merchant account to help facilitate and fulfill online orders.

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Tussy View Post
    i could setup and use my own merchant account to help facilitate and fulfill online orders.
    Setting up a fully compliant merchant facility is expensive - that's why most sites actually make use of a third party merchant facility. Apart from not having to spend huge amounts of money on setting up a PCI compliant system you also avoid all the risk of being fined if someone finds a hole in your security and manages to obtain any of the credit card numbers as the third party provider you use would be the one taking that risk.

    Many banks and a number of other large financial companies offer access to use their payment processor for the processing of online credit card orders. It would just be a matter of finding one that doesn't charge an excessive fee.

    Perhaps the easiest way to explain the problem to your client is to explain that one of the conditions for processing credit card orders is that the numbers are not allowed to be stored on a computer that is connected to the internet. As emails are stored on computers attached to the internet they must never contain credit card numbers. If someone were to send their credit card number by email and it was then used by someone else to make purchases then the only person that the card owner would have any chance at all of getting compensated for the loss from would be the person who convinced them to send their email address by email in the first place. The card issuer accepts no responsibility and prohibits such use of credit cards that they issue.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •