Liabilities in handling credit card purchases through web site

[WebEngineer]

I am developing a web site for a company that will sell items through the site. They will provide the bank account and credit card handler account (terminology?) to which the site will link for processing payments. We will not store purchaser's account info in our databases - just name, address, etc.

The client is worried about someone being able to drain funds from his bank account through the web site and wants me to be bonded for this reason. How real is the concern? Could someone gain access to his account in this manner? If so, how can I protect against it? I have had someone try to post a fraudulent purchase against my PayPal account (those were all resolved in my favor) but that account is set up to make payments from, whereas the account in the current case could be set up to not allow payments to be drawn.

Any related advice would be greatly appreciated!

[stymiee]

They will provide the bank account and credit card handler account (terminology?) to which the site will link for processing payments.

The account that allows you accept credit card payments is called a "merchant account".

The client is worried about someone being able to drain funds from his bank account through the web site and wants me to be bonded for this reason. How real is the concern? Could someone gain access to his account in this manner? If so, how can I protect against it? I have had someone try to post a fraudulent purchase against my PayPal account (those were all resolved in my favor) but that account is set up to make payments from, whereas the account in the current case could be set up to not allow payments to be drawn.

They're being paranoid (which isn't necessarily a bad thing). Unless you specifically configure their website to do refunds through their website, and there is no reason why you should do this, there is no way anyone can issue themselves a refund. There also is no way for someone to access their bank or merchant account. (If their site gets hacked it may become possible depending on several factors but this is a different issue altogether).

As for dealing with fraud, well, tell them welcome to accepting online payments. Fraud is something every merchant has to deal with and they need to educate themselves on how to prevent it and control it. You can do some programming work to assist them but only if they specifically ask for it (e.g. integrate fraud control tools). You should have no liability if a customer commits fraud.

[jdog]

Hi,

there is actually a chance that your E-Commerce system supports checking out negative amounts and debiting money from your merchant account. This is something you should explicitly check for in the software and the merchant account.

There is a good Google Video about this with a Tech Talk of someone who explains common security issues. According to him, a lot of shops even deliver 4 items, if you check out "-4".

In any case, you should have an indemnity insurance.

HTH, Jochen

[Corey Bryant]

Who is their merchant account processor? You should tell your client to call the merchant account processor to help calm them down. Most of the time, the merchant account processor will be depositing money into their bank account.

It is easier to take money out of a bank account than put money into an account due to the regulations. If your client is worried still, he / she should consider setting up a bank account for this merchant account (I really recommend a separate bank account for PayPal users).

You can also have the client speak with a bank representative on how money is taken out of a bank account. You might even tell your client to consider getting a merchant account from your bank. I don't really recommend this too often (a lot of banks outsource this anyway), but this way, you let the bank deal with this.

The gateways will support the merchant however crediting a consumer (i.e. if the product was returned) so money would then be taken out of the bank account.