Currently I plan to have my store accept credit cards without a gateway, I don’t want to charge their credit cards right away. What I want is for them to fill out the checkout form. Then I will manually enter their information into a Virtual Terminal later.
The main reason for this is that I expect transactions to be low in volume and there will probably be a need for modifications (price adjustments). I am worried as from reading the FAQ it seems like going w/o a gateway is bad.
So this is a good way of doing things? What kind of security will my site need in order to accept and charge credit cards in this manner?
You need a security certificate on the site so that the credit card can be encrypted by the browser and passed through the server in an encrypted format.
The computer that it is eventually saved on must not be able to be readable at all from the internet. Passing the credit card numbers from the web server to the computer where they end up must be a one way process.
Basically if you aren’t going to use someone else’s gateway you’d have to build your own. The only question then is how big is your programming team and how experienced are they at building extremely complex applications where you can’t afford even a slight chance of any security breaches. You probably will need several staff whose job is simply to constantly monitor the security of the system.
Probably not unless you are properly set up with your own online transactions systems to handle security and legal liability issues. One of the biggest concerns is legal liability should someone be able to steal credit card and other personal details of customers you have stored in your database.
A simpler option could be to consider integrating something like Paypal’s Website Payments Standard into your store. With Paypal, you can use 1 of their shopping carts or your own customised cart. When the visitor goes to the checkout, they are sent to Paypal’s website with the contents of their cart and Paypal handle the online payment either through the visitor’s Paypal account or their credit card. Paypal then credits your account with the payment.
With something like Paypal you don’t need to worry about the security and legal issues associated with storing credit card details.
What you are trying to do is extremely complex and expensive – far more so than just extending your merchant account.
There are a few experts on the forums who can explain in more detail but in short when you store a credit card your security compliance [PCI] requirements shoot up, way up, to audit-ready levels. All sites taking credit cards directly need some level of PCI practices to be met but they are fairly minimal for a small volume site passing information off [SSL connection, etc] and thus very manageable – stored cards systems are anything but requiring everything from multiple level databases [i.e. not web accessible] to encryption of data , etc. There are intermediate options like handing off a card and being given a charge reference to use later – but that’s not applicable here as your goal is not future charges.
Furthermore your merchant program likely requires a different agreement to process “card not present” charges. This is to handle the increased fraud and associated management and while it’s what you want to avoid, you have very likely contractually agreed to only handle card-present transactions with your terminal.
I realize it can be tempting to say “who cares” but the violations when you are caught are significant and the risk is high – one stolen card used on your site and it’s obvious it was not present for you to swipe.