Some Hazards of Accepting CC Info On One's Own Secure Server

Some Hazards of Accepting CC Info On One's Own Secure Server
by
Mari Bontrager

Permission is granted to reprint this article in its entirety, provided no reprints are sent in conjunction with unsolicited bulk email, provided no fee or other value is exchanged, provided no changes are made to the article, and provided the author's name, signature lines, and copyright line are printed with the article; except you may change the article's title.

This article was inspired by an email from a subscriber addressing some of the hazards of using one's own secure server to accept credit card payment information. The article referred to in the email is "Accepting Credit Cards with Your Own Secure Server," linked from http://willmaster.com/possibilities/archives/

The email has a lot of information that prudent webmasters will want to consider before making the final decision on how to collect credit card information for sales. There is very little I could add.

"Mal's e-commerce site," mentioned in the email is at http://www.mals-e.com/index.htm

Related articles by Tom Mahoney, the subscriber who sent the email, are at:

http://www.merchant911.org/OWL1.html
http://www.merchant911.org/OWL2.html
http://www.merchant911.org/articles.html

Here is the email:

Good day Will, and a very Happy New Year to you and Mari!

I've been following your newsletter and your site for a year and have gotten invaluable information, some already in use, some filed for the future.

I have no particular issues with your article on accepting credit cards, but I thought I might mention a few things that came to mind as I read it. My perspective is that of founder of Merchant 911 - a merchant advocacy group dedicated to helping e-commerce merchants prevent credit card fraud. I also co-own, with my wife, three on-line businesses which also have a brick and mortar presence in Eastern Pennsylvania.

I cringe whenever I think about all the security issues involved with running an e-commerce site, and the thought of a small merchant accepting cards on their own site sends shudders down my aging back! I think you covered some of these issues quite well, but their importance cannot be over stated.

Quite frankly, I can't imagine what any small merchant would gain by using their own server, no matter how secure, to handle credit card transactions. There is little doubt in my mind that one hacker could wipe out a business with the budget impact, bad publicity, and law suits that could result. And of course, there's the fact that the credit card companies would drop - and black list - the merchant in a heartbeat. There [are] more than a few things to consider and it would cost a fortune to bring a site in compliance - most small businesses simply can't afford it! The new security regulations are extremely demanding.

In articles that I have written for Computerworld, SearchHound, and some others, I strongly suggest against 'self managed' credit card transactions. Let someone else deal with the headaches. They are in a much better position to manage the complex programming and legal issues involved. Remember that anyone in the business of handling these transactions must be prepared to deal with the issuers, the acquires, any third party processors, and the credit card companies themselves.

When budgetary issues are involved, and they usually are, there are free and/or inexpensive services available. Mal's e-commerce site comes to mind because I use them, but I'm sure there are others. Buyers enter their card information and it is stored on the services machines until the merchant logs in via SSL to pull the credit card data down to their local machine. Since the local machine isn't acting as a server, it is not as likely to being hacked, although I still recommend deleting the data as soon as the transaction is complete.

Related to this, I recommend that low volume merchants don't even go through gateways. Some gateways give them little control over whether or not to accept the order. As you had better be aware of, the on-line merchant is ALWAYS held responsible for bad transactions, even though it's the job of the processors to verify the validity of the sale. With the credit card processors and banks netting over $550 Million in charge back fees in 2000 because they did a poor job of verifying transactions, I'm not about to allow them to make those decisions. I recommend to our members that THEY do the security of their own transactions - running traceroutes, cross referencing addresses and/or phone numbers, and whatever else they feel the need to do to feel confident that the customer is REALLY the card holder of the number presented.

With credit card number generators, stolen card number trading lists, dumpster divers, skimmers, hackers, and all the other ways there are for the fraudsters to get card numbers, I take control of my own fate - I'm not about to leave it in anyone else's hands! I may take a few losses, but at least I feel in control.

Just my thoughts.

Thank you for all the wonderful services that you provide for us webmasters. Keep it coming!

Again, best wishes for a happy and prosperous New Year!

Tom Mahoney
http://www.merchant911.org
Merchants uniting to protect themselves.

Thank you, Tom!

Tom Mahoney's http://www.merchant911.org is a free site. If you accept credit cards at your site, whether on your own secure server or through a gateway, membership in this site may make available the exact information you need during a merchant credit card crisis.

Yes, membership is free, too.

By: Will Bontrager

Copyright 2002 Bontrager Connection, LLC
http://willmaster.com/possibilities/
subscribe-possibilities@willmaster.com