Of the 3 payment gateways that I have experience of (WorldPay, PayPal and Google Checkout), all have the option to use what's called "Authorize and Capture", which means that you can perform your own verifications checks, based on the buyer's data (name, address, telephone number) before accepting the order.
With WorldPay, you have to contact support and ask for this method to be enabled on your account. Google Checkout is auth/capture by default (you can override it on the Settings > Preferences page), and instructions for PayPal are here:
You don't have to use a gateway if you don't feel it's necessary. With an average ticket in that range it's probably safe to assume that you won't have a high volume of orders (?) making it feasible to devote personal attention to each order. Human-intervention will always be the best weapon you have against fraud.
You can utilize a table-top terminal, processing software, or even use the virtual terminal portion that most popular gateways offer to manually enter credit card information.
I've had a few clients with tickets in this range and I'd also recommended that you require your customers to sign and return a document that clearly states your sales procedures and expectations. Having a detailed document that clearly defines procedure that is signed by the customer helps the bank's dispute department immensely.
You can do a pre-auth for the amount. This will guarantee the amount for a certain time (usually 3-4 days). During this time, fax / email them an authorization.
As a consumer, I would expect this. And maybe even consider recording your phone calls. This would help as well
"Once I've completed the verification, and received authorization for the transaction (via either the terminal or payment gateway) I would delete the CC info from my database."
This is a bad error as by Law you have to keep the card on file for at least 2 years.
Lets say you do do all the above and you delete the card info and they do a chargeback how are you going to find the customer if you don't have the card number to go along with them, or how will you do a refund.
Trying to do online selling and using a terminal won't work either. You either have to swipe the card (cheaper %) or punch in the numbers same as online (more expensive) and same as internet sales.
If you do all the above checking you can use an online processor as before the card is processed we can check to make sure all is ok. An online charge is not completed until I run the order this charges the card up until then I am just authorized to make the charge.
If there is anything fishy we call the customer and make sure it is ok after we do a address check ect.
I would strongly advise you not trying to do it your way there is just to much your not aware of and will come back to burn you.
Get a good online processor I use cardservice but you chose or take suggestions.
|Trying to do online selling and using a terminal won't work either. |
A terminal can perform the exact same verification processes as any gateway and doesn't carry the additional per transaction and monthly fees associated with online processing.
I'm an advocate for all types of processing - I think electronic commerce is great, but don't discount an option that may be the most viable simply because it's not the most technologically advanced.
When considering processing options a merchant should always calculate their all-inclusive fee from the various charges they will incur on a monthly basis. This overall amount should be reflected as a percentage of NET profit.
If druidjaidan is going to process two transactions a month there is simply no justification for additional monthly gateway and transaction fees.
|and primary signature required only shipping (also only ship to a billing address |
This can present a few problems.
1 - very often people have an order shipped to their workplace because nobody is at home to sign for their packages
2 - what if their credit card company has a biling address that is a PO Box. How do you plan on shipping large expensive items to a little PO Box via UPS or FedEX?
3 - what if somebody orders your product for a gift and want it directly shipped to the recipient?
The reason why is when you begin the sign up process of a merchant account you are asked will you be swiping the cards or typing in the numbers.
Swiping means card in hand
Typing means over the phone or internet as they are the same.
You have to have either or and can't do both on the same terminal.
Now I know on the older terminal versions you can do both type and swwipe, but the new ones won't allow this.
|Swiping means card in hand |
Wow, after ten years in the industry I'm glad that someone finally cleared that one up for me ;)
bwnbwn, I think you're missing my point. Allow me to clarify.
Each merchant situation is different. In this particular situation it looks like there's a merchant that will be processing large tickets with low transaction volume. Early I said:
|Human-intervention will always be the best weapon you have against fraud |
In keeping with this view-point and the processing profile of this merchant a CNP account loaded into a terminal is clearly a viable and arguably the best option.
There is no need for multiple account types here.
I know of multiple high-profile hosting companies and e-commerce merchants, that for the very reason of combating fraud, manually processing transaction either through a virtual or counter-top terminal application.
Soooooo many in MLS these days don't use their head when looking at a merchant's needs. Instead, they want to go with what they're most comfortable with or with what pays best in the short run on commission.
|Also I'd want to do a CVV verification also as I submit the order, depending on which method I used above...would I be able to do that? |
I don't think you're allowed to store the CVV number--it can only be used for real-time CC processing. That's been my understanding anyway.
You are absolutely NOT allowed to store the CVV. The whole security of the CVV system turns on it not being retained anywhere any longer than is needed to pass it up the food chain.
Want the VISA Council to send in the heavies?
|This is a bad error as by Law you have to <snip>. |
I imagine the law is different for each country. WebmasterWorld has a varied audience from all over the world. "I read it in a web forum" isn't a proper legal defense in any jurisdiction.
When it comes to legal advice, ask a lawyer or solicitor.*
*Different countries even have different names for their legal experts. ;)
|You have to have either or and can't do both on the same terminal....Typing means over the phone or internet as they are the same. |
Then explain why our offline terminal, barely two years old, has both a swipe-slot and a keypad, why they charge differently for CP/CNP on that terminal, and why our contract explicitly outlines the number of limbs that will be lopped of if we use the offline terminal to process credit cards captured on the Internet.
mine as well has a Swipe and a Key Pad
After the card is inserted I am prompted to enter the last 4 digets of the cc other than that mine will not allow credit cards to be inputed by the key pad.
I assume you have taken a cc and inputed the numbers and exp date in this machine by typing them in and it processed the order?
How else would one do a phone-in order? :-)
I'm sure it's specific to the merchant account, but all the ones we looked into prior to committing to a contract (which is another consideration, how long are you in for once you sign) wanted tons more for an account that also allowed Internet orders. In addition, they wanted to dictate precisely which gateways we could use - except they worded it as "which ones were supported." :-)
In the end, it was just cheaper to keep the in-store account and set up an account with a competitive online merchant account provider for Internet sales.
Just wanted to make sure so these phone in orders are coming from people finding your site from the internet?
Well, *some* people call in finding the site from the Internet. "I don't want to put my credit card in the Internet." Our response is that the payment gateway is secure, there's less possibility for error, the entire order is easily documented if they just use the shopping cart, and most importantly it calculates shipping on the fly and we would have to take the info, get the shipping, and return a call to collect the CC info - all of which causes delay and takes US time, so we have to add a surcharge for manual entry. Most of the time, they understand and use the shopping cart. (No flat rate shipping, all shipping is actual + S & H fee.)
If they are persistent, yes, she takes the order via phone by inputting the data into the terminal directly. She doesn't even write it down - she does this during the call back after getting the total shipping. For refunds, same deal - she gets the CC info and inputs it directly with the customer on the phone.
So to answer the question, about 50% of "phone in orders" are from the Internet and are processed manually, and this is very infrequent. Just to clarify, I reviewed her contract re: "must store CC info for two years," and both of our contracts explicitly state we do not store credit card info in any form. I see this statement coming up often here, and seems a little confusing - I am presuming this is for PCI compliant businesses/processors that actually store CC info.
You are performing charges that are suppose to be done on the net or through a internet gateway. Now she may be using a type in pad that is connected to your gatewaay acount if that is the case the cc's are being stored there for future reference. If not you are violating your merchant account and could come back to burn you.
I am required to keep a copy of the charge in my store front (US) so if there is a charge back I can pull the copy. If there is a refund I can pull the code from the charge off the ticket and issue the refund through my machine using this signed ticket. If I have a charge back and I don't have a copy of this ticket I am done and lost that money.
On the net the cards are stored by my your card processor so I you can do refund etc an orders that has been placed off my website.
We as well do call in orders but only through our internet gateway account.
You are the one that knows your business but if you don't keep the cc numbers how do you issue a refund for an item that may be defective when the customer gets it and wants their money back say a week later?
How do you look up a charge back that may have taken place 2 months ago and fight the charge back?
|You are performing charges that are suppose to be done on the net or through a internet gateway. |
Not at all. Internet orders are placed on the Internet. Phone orders are placed in the store. They are two distinct and independent merchant accounts and there is no connection between them. Granted, we could use the processor interface as a terminal but we don't.
|about 50% of "phone in orders" are from the Internet |
In case it's not clear, this means someone came to the web site, got our phone number, and called in. At that point it's not an Internet transaction - no data is entered into our website at all. It's the same as someone walking in the store, with the exception of CNP. In either case, we store nothing. This is how we were instructed to manage transactions.
We've had **one** chargeback in over two years - for a bounced check in the store. But in expectation of the inevitable, our processor has informed us how: we manage it by logging in the the offline account's bank site and manage it from there. We never have to touch the CC info. As for refunds placed on these orders - previously answered.
This is all very compelling, and has prompted me to dust off her contracts. As time allows I will place some calls - but it seems the MAP doesn't seem very knowledgable either. :-)
Thanks your answeres has me looking at the way we do phone in orders as well.
CVV is the biggest load of nonsense in the history of fraud prevention.
OK, it might limit the absolutely TINY proportion of credit card fraud that originates from numbers stolen from a database, but as most stolen credit card details are not sourced in this way the CVV is simply traded along with the other card details.
|In either case, we store nothing. |
bwnbwn, a slight update on this after talking it over with my wife. It's actually her business, I am just the web guy but daily seek new information and do all I can to "watch her back."
She does keep the receipts from the in-store terminal transactions. They DO contain the CC number. These are stored off-site (physically, meaning not in the B & M store) and she keeps them largely for tax purposes. So I suppose in respect to "storing information" these are kept and stored, but are the only storage, we do not store this data digitally. In reviewing the PCI compliance outlines in respect to security, we just need to move them from the off-site location to our safe deposit box. <sigh, another task>
|I want to take CC information from customers at the time of order, place the information into a database. Manually call for name/address/phone number verification to their credit card company. |
You should store NO CC information just to protect your customers and you absolutely can't store CVV. I only record the sale information and let the payment processor hold the credit card information so I'm never at risk of being breaching for CC's and my customers data is as safe as possible, assuming the payment processor is secure.
Besides, why assume the majority of your transactions are frauds?
Assume most of them are GOOD, go ahead and manually verify and simply VOID/REFUND those that turn out to be bogus. You'll save a ton of time and money not manually processing credit cards as well as making the phone calls, and you'll have none of those credit card #s laying around for the taking.
FWIW, always check the IP address of the person that placed the order with GeoIP because an IP from Nigeria ordering for the Bronx, as an example, probably isn't legit.
[edited by: incrediBILL at 5:32 pm (utc) on Aug. 28, 2007]
|...any merchant with that much validation would be untouchable. |
Wishful thinking. You will pretty much always lose. The key is to make sure the customer is legit before shipping. Even if you ship to the confirmed address with a signature, all the customer has to do is sign a different name than the card has and you lose the chargeback. How do you prevent that?
The system is set up for merchant failure with any chargeback. You need to budget for an acceptable amount of loss.
After that make company policies that will reduce fraud (i.e. no shipping to freight forwarders, no shipping to certain countries, phone call to customer to confirm identity before shipping, etc.) Those will do more for fraud prevention than any credit card terminal.
For large CC orders I would get a faxed copy of someones credit card, drivers license and/or passport. Most customers like to help. Call customers to verify their info on large orders. On shipments of suspicious orders, request a signature upon delivery.
At a 25% profit margin, $1k in fraud is worth $4k in new sales. And CC processing companies can care less about fraud - they are paid regardless. Take it upon yourself to verify orders.
[edited by: iblaine at 6:14 pm (utc) on Aug. 28, 2007]
|When it comes to legal advice, ask a lawyer or solicitor.* |
*Different countries even have different names for their legal experts. ;)
Is that the same as a barrister?
I'm a spectator to my company's PCI certification [pcisecuritystandards.org] process.
It's pretty hairy. I never knew that there were so many things that you couldn't do. I also had no idea that the Payment Card banks could levy such heavy-duty penalties on people that don't comply.
You may just want to make sure that you're PCI compliant. If you're not, the first screw up will be one heck of an education.
"Good judgment comes from experience. Experience comes from bad judgment."
|For large CC orders I would get a faxed copy of someones credit card, drivers license and/or passport. |
Many people don't have easy access to FAX which is a real problem because making it too difficult to complete the sale can alienate many legit customers and it still doesn't stop a chargeback.
Getting insurance from the shipper is worthless as well because that only insures it during shipping. The minute that package leaves the hands of the delivery person all bets are off.
For really large sales we used to require a wire transfer as you can't do a chargeback on a wire transfer.
My preference is the USPS with "Certified Mail" because they not only get a signature but our local postal employees check your drivers license. Why the USPS? If customers play games with delivery by the USPS you have a new trump card up your sleeve called MAIL FRAUD, which is a felony if I'm not mistaken.
Good I was worried you were setting yourself up for some problems with not keeping good records.
The reciepts should only have the last 4 numbers of the card tfor security purposes.
Check to make sure as you are ok on the storage because they can't get the cc numbers from them.
I store them as you do, I think some of the cc rules need to be updated to stay in step with the new terminals.
I wouldn't worry about the storage unless you have the full cc numbers with them.
If you want to be super safe, only ship to the billing address and make sure everything is signature required.
All of our transactions larger than $5000 we require a wire transfer or a certified check unless it is a corporation placing the order.
| This 40 message thread spans 2 pages: 40 (  2 ) > > |