homepage Welcome to WebmasterWorld Guest from 54.205.205.47
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
See credit card number on back end?
Globalstores




msg:4575401
 5:52 am on May 19, 2013 (gmt 0)

I've been using yahoo merchant solutions to host my ecommerce stores and Paypal website payments Pro as my credit card processor for years. Yahoo shows me the customer's credit card number, exp date and AVS on each order in the administration back end orders page

I wanted to switch to a different hosting company to avoid Yahoo's transaction fees. I tried Bigcommerce and really liked the layout and options so I moved all my products over and changed the Nameservers. In about an hour my website was no longer on Yahoo and was now active on Bigcommerce. A few minutes later my first order came in.

The problem is, Bigcommerce admin control panel for customer orders doesn't show any credit card info. This is unacceptable because I need the card number so I can call the issuing bank when an address doesn't match AVS or if the customer wants to ship to a different address. In these cases I call the issuing bank and attempt to verify that the address matches what the customer entered. It's my only way of preventing thieves from having an expensive product shipped to themselves. Or have charge backs. I've caught literally hundreds of fraud attempts over the past nine years and have never been scammed by one. Matching credit card numbers to addresses on file with the bank is the reason why.

Does anyone know of another good ecommerce hosting company that can integrate with PayPal payments pro and that also shows the credit card information to the merchant like Yahoo does?

Thanks for any advice,
David

 

RhinoFish




msg:4575505
 6:48 pm on May 19, 2013 (gmt 0)

Can't you have the card company look it up by transaction number (holding the card number itself is a PCI DSS nightmare)?

Globalstores




msg:4575532
 9:52 pm on May 19, 2013 (gmt 0)

You need the credit card number when you call Visa or MC to get the issuing bank's phone number, and I really doubt the bank rep would look up a transaction number to get to a customer's credit card info.

We've used this method of fraud protection successfully for many years and bank reps are always happy to provide address verification and always ask "what's the card number?"

There is no PCI issue when the credit card information is stored by the hosting company (like Yahoo). Of course Yahoo is Level 1 PCI compliant and protects that information. I don't have to be PCI compliant because i don't store or transmit any credit card info, but I DO get to see it in the Yahoo Merchant Store order manager.

Is Yahoo really the only host or ecommerce solution that provides merchants with full credit card information on transactions?

If I were selling socks or scarfs perhaps I wouldn't care so much about losing a couple dollars to someone using a stolen credit card, but I sell expensive electronics and verifying the address entered by the customer is the only way to protect my company from thieves. Of course if the AVS on the Billing address comes back as a match, then we immediately ship the product.

Regards
David.

votrechien




msg:4575588
 1:24 am on May 20, 2013 (gmt 0)

In my experience it's very uncommon to have access to all of the CC info.

Can't you simply call your merchant provider and have them verify the info?

I'm sure there's a way to accomplish what you're trying to do which is probably safer than having access to an entire customer's CC info.

Globalstores




msg:4575612
 4:03 am on May 20, 2013 (gmt 0)

I am only getting responses from merchants who apparently don't have access to credit card info. I would only like to hear from merchants who DO have access to the full credit card info on your host's administration orders page (where you either click "Capture" "Refund" or "Cancel".

I cannot begin to imagine how any business could operate without seeing the credit card information entered by their customers. Unless, that is, they only accept PayPal Express as the method of payment and only ship to an exact AVS match. Sometimes honest people accidentally enter incorrect information and it needs to be verified.

It is absurd to think that it is not safe for a merchant to have access to CC info. You hand your CC to the waiter at dinner, who walks away with it, you give your CC info to the business you called on the phone to fix your plumbing, you give your CC to the cashier at Wal-Mart, and you probably give your CC to just about any business who sells a product. Of course, as I said previously, I don't store any CC info on my own computers or network, but I DO have access to the CC info via my Yahoo Merchant Store's orders page using a double password and SSL encryption. As a safety measure, Yahoo deletes the CC info 30 days after the transaction, which gives me plenty of time to call the issuing bank and verify addresses.

If you don't have access to the CC info, how can you avoid chargebacks from unauthorized sales (stolen credit cards)? Case in point, if I was a thief and went to your website to fraudulently purchase a new $600 stereo system and gave you a stolen credit card number and the real Billing address, but wanted it shipped to my home, how would you handle that? Just ship it to me? I would imagine you would be spending a lot of time dealing with chargebacks using that strategy.

Two of my Yahoo Merchant stores, that have been online since 2004, regularly have customers who want to ship an expensive product to their business address, a friend or a relative. Am I just supposed to ship and hope? Or do you think it might be better to call the isssuing bank of the credit card to see if the customer has added an "alternate shipping address" to their account? That's what we do and we have never had a fraudulent charge go through in nine years. Our gross sales are just over $700,000 / year.

You can't "simply call your merchant provider and have them verify the info" when you need to verify a Shipping address that is different from the Billing address. You have to call the issuing bank. And, you can't call the issuing bank unless you have the CC number and Exp Date.

I've used multiple Merchant Processors in the past so I'm quite familiar with their procedures. Nevertheless, I prefer using PayPal Website Payments Pro because I get a flat 2.2% rate for ALL credit cards, whether they're rewards cards or business cards. I also get a refund of the transaction fee if I cancel or refund the transaction. Most regular Merchant Processors charge you the discount points and don't refund them even if you refund the customer.

Anyway, I still would like to hear from any other merchant out there who DOES have access to the CC info via their ecommerce host's back end (like Yahoo Merchant does).

Thank you,
David

votrechien




msg:4575843
 6:14 pm on May 20, 2013 (gmt 0)

You've explicitly stated you don't want my advice or likely most other people on this board's advice because we don't give access to full CC info. But I'll ignore that just for a moment.

I cannot begin to imagine how any business could operate without seeing the credit card information entered by their customers. Unless, that is, they only accept PayPal Express as the method of payment and only ship to an exact AVS match. Sometimes honest people accidentally enter incorrect information and it needs to be verified.


We do it and I know numerous other merchants who do it as well (and it's not a volume issue- most of us have sales greater than what you've mentioned).

It is absurd to think that it is not safe for a merchant to have access to CC info. You hand your CC to the waiter at dinner, who walks away with it, you give your CC info to the business you called on the phone to fix your plumbing, you give your CC to the cashier at Wal-Mart, and you probably give your CC to just about any business who sells a product. Of course, as I said previously, I don't store any CC info on my own computers or network, but I DO have access to the CC info via my Yahoo Merchant Store's orders page using a double password and SSL encryption. As a safety measure, Yahoo deletes the CC info 30 days after the transaction, which gives me plenty of time to call the issuing bank and verify addresses.


You're argument is that because other companies have unsafe methods therefore you should have unsafe methods. But that aside, in a lot of these cases there is a significant difference. If a customer calls in an order and you write it down on a piece of paper and forget to shred it that night and someone breaks in and steals it, you're going to be liable for that single credit card. If you store a month's worth of CC info and someone hacks in and steals it you could be liable for potential thousands of credit card transactions.

f you don't have access to the CC info, how can you avoid chargebacks from unauthorized sales (stolen credit cards)? Case in point, if I was a thief and went to your website to fraudulently purchase a new $600 stereo system and gave you a stolen credit card number and the real Billing address, but wanted it shipped to my home, how would you handle that? Just ship it to me? I would imagine you would be spending a lot of time dealing with chargebacks using that strategy.


First, it's an issue we all struggle with (with that being said, we've had one fraudulent transaction in 10 years).

1) You're assuming the delivery address isn't the same as the billing address. However, as you've mentioned, you're also assuming the delivery address is a verified address on file. Most merchant providers have AVS services to verify just that (see our merchant provider here: [moneris.com...]

That aside, as you know as a vigilant merchant, sometimes you have to apply human subjectivity. For example, a customer has purchased from you numerous times and he calls and asks if you can ship to his hotel in another state. You probably ship it. And sometimes an order just gives you the willies so you apply as much scrutiny as possible to it.

Long story short, I know you're trying to find a merchant provider that provides access to full CC info and the best of luck trying. I'm trying to give you a low down of the pros and cons of it. Millions of merchants with volumes less than you and far greater than you prefer not to have access to this info, so at the very least, why they prefer this is a point worth considering. Nevertheless, I'll leave the conversation now to allow you to get the opinion of merchants who only have access to full CC info.

LifeinAsia




msg:4575861
 7:18 pm on May 20, 2013 (gmt 0)

It is absurd to think that it is not safe for a merchant to have access to CC info.

I disagree- I think it absurd to think it IS safe for a merchant to view the entire CC number, especially if it is a small businesses. While I may trust the business owner, I don't necessarily trust his soon to be disgruntled ex-employee who knows that the boss's password is "Password1" on all his online accounts. Nor do I trust that a small business owner has the resources to guarantee that his computer (as well as his entire office LAN, which includes the minimum wage data entry clerk who just has to download all the coolest new programs) is 100% free of viruses, key loggers, or other spyware that can grab his password and provide it to any number of hackers worldwide.

Globalstores




msg:4575873
 8:09 pm on May 20, 2013 (gmt 0)

Obviously I'm not making myself clear....

To Votrehien: "You're argument is that because other companies have unsafe methods therefore you should have unsafe methods." Where the heck did I say that? I use a VERY safe method of fraud control by using Yahoo Merchant Stores where THE CREDIT CARD INFORMATION IS STORED AND ENCRYPTED ON THEIR SYSTEM - NOT MINE. Yahoo requires a login to the merchant control pages, and clicking on the "Orders" tab requires a SECOND SECURITY KEY to gain access to the orders page. An SSL encrypted page displays the order information, including the CC card number. YAHOO WILL ONLY GIVE ONE REGISTERED MERCHANT ACCOUNT HOLDER ACCESS TO THE ENCRYPTED ORDER PAGE.

To LifeinAsia: I don't write down CC numbers, I don't store any CC info, I have no other employees, especially disgruntled ones, who have access to my passwords and security keys. I don't take phone orders. I don't have to have the "resources to guarantee that" my computer or my LAN is free of viruses or spyware (although I do), because THERE IS NO CC INFO STORED ON MY COMPUTER OR MY LAN. If you hack into my computer you will see photos of my family, but you WON'T SEE ANY CC INFO.

I think you guys need to go to www.merchant911.org and read about fraudulent credit card prevention.

I've got a headache and don't wish to continue this disagreement in business practices. I simply asked if any other merchant out there has found an ecommerce hosting company that provides CC info on the backend, similar to the way Yahoo Merchant Solutions does.

Regards,
David

LifeinAsia




msg:4575891
 9:22 pm on May 20, 2013 (gmt 0)

I don't ...

Great! But to CC businesses, it doesn't matter that you don't. They worry about the thousands of other businesses using the exact same system that you do who might not be as ethical or secure as you.

If you hack into my computer you will see photos of my family, but you WON'T SEE ANY CC INFO.

First, there is no need to shout.

Second, if I hack into your computer and get your password to Yahoo Merchant Solution (or whatever processing system you eventually use that does expose the full CC info), I *CAN* see CC info.

disagreement in business practices

The reason for discussing business practices is to show you exactly why very few (if any) companies offer what you are looking for.

You asked the question:
Does anyone know of...
Apparently, no one knows of a company offering that. Rather than just let the thread go without any responses, people chimed in to provide help and insight as to why there may not be any direct responses to your question. Instead of utter silence, most people would prefer an explanation of why the question wasn't being answered.
Leosghost




msg:4575903
 9:51 pm on May 20, 2013 (gmt 0)

Second, if I hack into your computer and get your password to Yahoo Merchant Solution (or whatever processing system you eventually use that does expose the full CC info), I *CAN* see CC info.

Precisely..because Yahoo's security systems do not restrict the passwords to specific MAC addresses ( which even if they did can be faked ) ..and thus to specific computers..

I know this because I have used their password security system.. recently..

You are no doubt using an OS on your desktop, that many of us would find not much difficulty ( if any ) in accessing..and gaining "silent access and transmission" of your Yahoo password..even were it protected with the "latest and greatest" AV and firewall systems..

Remind us never to shop online at your store..:)..( our credit card data could be easily compromised ) ..but don't post your site ..#13..:) [webmasterworld.com]

Globalstores




msg:4575908
 10:28 pm on May 20, 2013 (gmt 0)

"Second, if I hack into your computer and get your password to Yahoo Merchant Solution (or whatever processing system you eventually use that does expose the full CC info), I *CAN* see CC info. "

No, you can't. First of all, I don't store my Yahoo passwords on my computer and in addition you would need to:

1) Know both my Yahoo Merchant User Name and Password
2) Know my Yahoo Merchant second Security Password
3) Be using my computer that Yahoo recognizes because of the encryption key installed on it. Or you would need to know a third answer to personal questions I seriously doubt you know.

"Apparently, no one knows of a company offering that." Geez, I just posted my inquiry yesterday so I wouldn't rule out that there might be some other merchants who just haven't logged in yet to see my question.

LifeinAsia




msg:4575912
 10:37 pm on May 20, 2013 (gmt 0)

I don't store my Yahoo passwords on my computer...Be using my computer

Any number of hackers could very easily get all your passwords with a key logger program installed on your computer without your knowledge. Similarly, taking over your computer remotely is fairly trivial for a good hacker.

Again, what YOU do is of little interest to companies- it's what all the other small (and large) businesses that may use their services that companies have to protect against.

And if you think that everyone else in the world is just as trustworthy as you, why even bother with credit cards? Ship your products to whoever asks and have them pay you on the honor system. :)

Leosghost




msg:4575917
 10:43 pm on May 20, 2013 (gmt 0)

LIA ..said the first two words that came to my mind.."key logger" ..and there are a myriad other ways..

I do indeed know what I'm taking about ..began with punch cards in the early 70s..before your OS of choice was even invented..

However ..to quote Netmeg..who has also been watching ***** on the internet ( and no doubt elsewhere..as many of us have ) ..:)

"Carry on"..

And again ..Hi to Marrissa..

ssgumby




msg:4575952
 1:49 am on May 21, 2013 (gmt 0)

Spout off all you want, but storing CC info is a PCI nightmare as everyone here states.

I would never, ever want to know the cc info. That puts a large liability on ME.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved