Hi all, I’m building an online store for my work, we don’t want any payment to be taken online but rather their details to be sent to us and we’ll charge the card on dispatch as many of our products are out of stock or unavailable - we can’t have a stock management system, my boss thinks it’s a waste of time.
So basically just looking for some information on the best and most secure way of handling peoples card details.
Well rule out email straight away and storing C/Cards in any form of database will just make you a target for hackers. That is unless you have super resources for an IT dept. Amazon do this but look at the resources they have. Somehow I don’t think your company does or you wouldn’t be here asking us because you’d have a office full of IT comrades to discuss this with.
In short unless you process the payment in real time there isn’t much you can do. Storing peoples card details is a BAD_IDEA and will simply cause you a legal mine field. You’ll also then need to make sure you comply with various data protection laws etc.
Best and most secure way? Don’t.
I’m not being a smart-ass either, meeting the legal requirements to hold someone’s credit card details are beyond most organisations.
A quick search for PCI DSS should be enough to scare you (and your boss) out of it.
If you must, use a third party to manage the payments for you.
Take a look a SagePay’s Token system, it allows you to store the card holders details securely, then (optionally) process the payment at a later date.
Hey chaps, thanks for your message. I know for sure now that there is no way I’ll have anything to do with credit card storage, it’s just to risky. Anthony, looked at your link, that could well be the direct we decide to head, it makes a lot of sense and would be ideal for what we’re needing it for. Is it hard to implement/connect to?
I’m sure you’ll manage it just fine, it has been around long enough to find help from others. Either way, you know where I am if you need me. 
Sorry to interrupt you guys, but I have a question for Anthony about this “SagePay’s Token System”…
I assume you’ve used that thing before, Anthony? If so, does it make the online payment experience more streamlined? In other words, we all know what it’s like to pay for something online: we add something to our cart and then suddenly get whisked away to some PayPal login or something from Yahoo, Ebay, etc., where the actual payment processing begins…
Does that thing you suggest eliminate this inconvenience and provide for the said mom-and-pop website owner to process everything right there and then on their website?
My understanding of the token system is, You make a payment and the card is processed by the gateway provider. If the payment will be re-occurring such as a monthly fee, you can request a token from the gateway provider which will act like a credit card so you can process payments every month using the token.
In these situations we recommend Authorize.net CIM for our customers. This allow you to setup a system where you allow your customers to setup credit card and shipment profiles.
Since Authorize.net takes care of the PCI Compliance aspect, all you need to do is implement their API and your good to go.
In general since an example with Amazon was provided above, this would allow you to provide a system similar to how they allow you to store credit cards for future purchases.
Hi dude, thanks for the message, very helpful. Further to this thread, I’ve just discover that my boss does not want to use a Payment Gateway at all, he is not prepared to pay the fees/percentage. We have a card terminal here and he wants us to manually enter their details to incur no extra costs.
Any ideas what the best way forward for this would be?
Sagepay is very easy to integrate to, I’ve done it a few times too.
coxdabd: I believe your options are
Page 17 is where the list of requirements start
Hey bud, I’m not keen on the idea at all, we do need to use a Payment Gateway and SagePay seems the best way forward, there is always PayPal but I have never used them before, I think SagePay is slightly more ‘classy’ from what I’ve heard. Just hoping I’ll be able to integrate it ok, can’t be too difficult I guess. Thanks for the reply 
Point him to this thread and then suggest he looks into the legalities?
Wow.
Do your research and put a concise case forward for using a gateway; what your boss is asking you to do is illegal. I would guess that if your boss doesn’t want to pay the rather small (in comparison) charges for the gateway, they will not be willing to invest in the systems required to become PCI compliant.
It’s a tough one, but I’d certainly be wary about your personal liability in this endeavour.
If you’ve already got your own merchant account, then the gateway fees are not a lot, WorldPay (whom I’d pick over SagePay - stream of issues since they started out as Protx years ago) for example is £20 per month for something like 1000 transactions off the top of my head. So that’s 2p per transaction. You can do a pre-auth for the full amount, then just authorise the amount you’ll be charging (once you know what is in stock) and release the rest.
As an aside, not having real-time stock levels or reserved stock for the website is going to create a really bad customer experience. It’s certainly no way to drive repeat custom.
Thanks,
[FONT=“Georgia”]Could you do me a huge favour and PM me one or two of the sites you’ve integrated it on?
I’d like to see how it fits for myself, because processing payment is a big challenge for me too.
[/FONT]
It sounds like your boss needs to be “educated” why it’s a good idea to have a stock management system and to use third party payment system.
Clearly, he doesn’t see this from IT point of view and you need to convince him of that. Plus, he’s already using a CC for his work… so, he’s already paying the percentage from that provider. I’m sure online one is slightly more expensive but it’s not to a point he should care. Maybe the charge is from 2% to 3%.
You should ask more clarification question like
I know it’s tough to educate your boss or client but you must do this!!! If everything goes to #$@%, guess who’ll be the blame?
I don’t think it’s illegal. I’ve had many mail payments that has a CC form with a reply address. But, you’re right about second half… he’s being a cheap @ss.
It is illegal if you’re not PCI compliant.