Sometimes customers are too difficult to get them convinced on somethings which might save them a lot (may be their whole business) in the future.

Have credit card info scattered all over your emails is not a secure way of handling it. When the records go to the thousands, it won't be easy either to handle and provide a smooth service.

I think you should warn them to as much as you can, leaving behind written documents and something which can prove that you are not liable for all the mess that they might potentially face.

For the rest, if it is a good deal, go for it.

Habtom

thanks for that Habtom...

I think I'll just put a clause in the proposal stating that my recommendation is not to use email, and any decision to use email for transmission of credit card data is completely the decision of and responsibility of the client and that I can in no way be held responsible if any future problems or liabilities occur from that choice. Hopefully that will cover all the bases.

Actually in your place - if you do not need the job badly - I would outright refuse to implement this and rather loose the job. Because this will come back to you no matter what. They might for example press the "reply to" button in their email programm and leave the details in and a customer will notice. Or the email will bounce back for some reason and end in the customers inbox. And of course he will ask himself the question which company would be irresponsible enough to implement such a thing. And if you're company is mentioned on the website - 'made by xy' this could hurt your reputation badly.

Also if something happens - no matter what you let sign them - they will blame you nevertheless for not having properly informed them about the risks. I have had the experience that people who refuse to except good advice usually are the first ones to play the blame game when something goes wrong.

Two options come tp mind: have them fax the information or; break it up over three emails. Of course, the security of the first method requires they dial the right number. The security of the second depends on how well the information is broken so it is not obvious what it is. I guess there is a third: get it over the phone - low tech but reasonably secuure.

Marshall

... or just have them login into the cart to get the CC info. Use the email strictly for notification and order ##.

I pointed out that this really wasn't a secure method and that they would be liable for loss of any credit card data - but that didn't bother them and they were happy to take the risk as all their pc's etc are password protected.

Jenkers the point you need to get across is that it's not their computers that's the issue. Email is not secure. The problem is that the data can be intercepted in transit.

Secondly you need to express that whoever their credit card processor is, if they find out that data is being transferred insecurely over an email connection, they will pull their account in a heartbeat. The argument is, well how will they ever find out? It doesn't take much investigating, or one chargeback or complaint from a customer, to get an investigator snooping.

There is one last ditch effort - you can get someone to set up gpg or pgp encryption in their website and email client. Encrypted data is sent from the web site to the email client and can only be decrypted by a private key stored on the recipient's end. This, at least, is secure, but it's still unacceptable by merchant account providers. The problem with this is that they will have to learn how to use the private keys and retrieve the data, which is no better than existing secure methods and contrary to the need for simplicity.

Generally anyone willing to do this is also not willing to pay much, so if they insist, I'd let it be someone else's problem.

Have a search on Google for - PCI DSS - (Payment Card Industries Data Security Standards).

The card companies are getting a lot more active in ensuring that merchants look after card details in the UK recently. I suspect if you do implement this system for them as speced, either you or they are going to have to flat out lie to their merchant services provider.

Just remind them of the potential fees that can be imposed by the card associations for insecure data. And that their merchant account can be terminated as well and they might be hard-pressed to find another provider willing to give them a merchant account

You might be held liable if the customers know you were aware of the client's misguided venture.

-Corey

Just remind them of the potential fees that can be imposed by the card associations for insecure data.

Yup

You might be held liable if the customers know you were aware of the client's misguided venture.

... and yup. Lawyers like to call this gross negligence [dictionary.reference.com].

eeek - ok now I'm terrified.

To tell the truth I've been more than a little irked from a moral standpoint i.e if someone doesn't say 'no' then people will continue to do things like this.

I guess I'll go to the meeting and just say that I can't implement a site without a secure payment option, if they do decide to go ahead and use another developer who will implement such a system then I'll make a note to definitely not shop there.

if they do decide to go ahead and use another developer who will implement such a system then I'll make a note to definitely not shop there.

You might see if there is a reward for reporting them. Then you could at least recoup some of the development fees you lost. :)

Tell them to look at the Credit Card companies vendor TOS

You are not allowed to email or fax credit card numbers......

If you break this term and a credit card number is stolen or intercepted by someone... then the credit card company will hold them liable for any and all damages. This is a fact.

Fraud charges cost the CC companies a lot of money every year and they will do anything to pass that cost off to someone who is making it easy to steal numbers.

I have had it out with a couple of clients over this issue.... The one who would not listen to me had to take his business elsewhere as I told him that I refused to host a site that was emailing credit card numbers.

If you are planning on hosting this for them then put your foot down as you may also be deemed liable.

As a personal policy I refuse to even store credit card numbers in a database. If they want a good reason ask them if they heard about Target in the news lately.

The only reason to do this is their own convenience and that isn't a good enough reason.

[edited by: Demaestro at 5:36 pm (utc) on July 16, 2007]

... or just have them login into the cart to get the CC info. Use the email strictly for notification and order ##.

Lorax has the right idea. Keep it on the server, secure login... https etc.

Then clean out the data and change the path to the page and user names & passwords regularily. It will be far safer than sending it through mail servers.

Lorax has the right idea. Keep it on the server, secure login... https etc.

Again I mention Target... there is no need to store credit cards at all. Other then for your own convenience.

Explain it's the same as writing the credit card number on the outside of an envelope and mailing it through snail mail.

They wouldn't do that, so why would they do the same thing on a computer?

Anyone dealing with CC data online needs to be AT LEAST familiar with the basics.

If more web developers would take just a few hours to read through the wealth of info that VISA [usa.visa.com] and MasterCard [mastercard.com] make available the world would be a much safer place.

It's all there - the answer to this and a thousand other questions.

thanks for all your responses guys - I needed to take a step back.

I've emailed the merchant on the premise of not wanting to waste anyone's time and told them straight up I wouldn't be willing to build/implement an ecommerce store that didn't use a secure method of payment - indicated there would be no extra cost in my services to link the store into paypal, protx etc - and that Google checkout is even offering free transactions for a limited time.

I think I've covered just about everything I can do, I guess if they don't want me to go to the meeting then its their loss...

jenkers.....

In my opinion you have done the right thing.

I hope they will do the right thing and heed your advise.

I always wonder about people who hire someone for their expertise and then don't listen to the advise when it doesn't jive with what they were thinking. I find that very weird because.......... why hire an expert if you are going to tell him what to do and ignore his advise?

Let us know what they say. I am always curious about that actually. I have heard thousands of stories and ran into a few merchants who were doing this (without our knowledge) and a few who have had their programmer write a back-door script.

I would be curious what they do tell you and if they come to their senses.

Even storing the CC data online, they need to be PCI compliant. Level One Merchants along with Level One and Two Service Providers can be fined up to $25,000 USD per merchant or service provider. Level Two and Three Merchants can be fined up to $5,000 USD per merchant. This is for United States, but I would guess other countries would be about the same.

Usually getting compliant is paying a third party of doing a scan and completing a questionnaire

-Corey

I suspect they'll just go thorugh the phone book until they find someone who'll do it. If I hear back - I'll post it here.

Again I mention Target... there is no need to store credit cards at all. Other then for your own convenience

Demaestro

Part of the TOC from your merchant account is to keep a copy of the cc number with authorization number for 3 years (or 7)

Just thing are to done in the proper ways

The fine for non pci compliant is $50,000 in the US

To say that emailing CC info is a bad idea is a vast understatement.

I would not deal with those folks until they realize that this is not the 20th century anymore.

I've dealt with plenty of clients that use email and PGP for credit card orders, in low volume it's a practical way for Merchants to deal with orders, especially if the goods are manufactured and shipped some time after the order is taken. You just make sure you explain the process to the client, and of course charge them for writing up the document.

I've also dealt with hundreds of Merchants that have stored credit card details in a database, there are many off the shelf shopping cart systems that will store credit card details in a secure form and include the ability to flush old card data that's no longer needed.

Storing credit card data can be convenient for both you and the client in some circumstances, there are many thousands of companies that do this, in fact many wouldn't be able to function without it (eg your webhost, domain registrar, ISP etc.)

I'd do the job, just make sure that you explain to the client the possible risks and rewards of the various methods of credit card transmission and storage, do this both verbally and in written form.

Make sure you read the VISA and Mastercard docos. though, some good commonsense security precautions and procedures in there that a webdeveloper should be across.

Part of the TOC from your merchant account is to keep a copy of the cc number with authorization number for 3 years (or 7)

Which merchant account is that? Why would they recommend that?

To me that seems overkill and I have never needed someone's entire card number. I don't like that advise.

Any problems that have arisen a simple call to the credit card company.... with the customer name... the transaction date... transaction amount.... and the last 4 digits of the card are all I have every needed to access the transaction to either refund it or reference it for some other reason.

The card companies have all that data and they can be liable for storing it..... I won't ever recommend storing them... especially on a production server's database that is hosting the site itself.

All it takes is one pissed off employee with a password and all your security goes **poof**..... again see Target

That is just me though.

The fine for non pci compliant is $50,000 in the US

But, when is the deadline for compliance? I see a number of sites reporting June 30, 2007 as the deadline. Another claimed September 2007.

Another claims merchants processing over 6 million credit card transactions per year must be compliant by September 30, 2007 and merchants processing 1-6 million cc transactions must be compliant by December 31, 2007. Haven't found anything for merchants with under 1 million transactions.

The most official site I found on PCI DSS compliance didn't list the deadlines anywhere.

Truth be known I would guess 50% of the small ecommerce sites do emails through the cart and the customer doesn't know.

I will point out though they will have to be misleading the credit card processor they are gonna use as I know what they are trying to avoid is the cost of online processing. If they get caught they will lose their merchant account.

I personally would avoid a site that I knew used an email to send my information but most of the time we dont know so there really shouldn't be an issue here as long as the emails are kept in the secure part of the server.

I wouldn't fight them here and set it up as secure as possible

Uh no. Why be a part of the problem?

<< Uh no. Why be a part of the problem? >>

exactly. Truth be told I wasn't happy with the idea and needed some good reasons to persuade my business head.

Haven't heard from the merchant yet - to be honest if by Thursday they haven't got back to me I'll be glad I didn't go any further with them.

To tell the truth I've been more than a little irked from a moral standpoint i.e if someone doesn't say 'no' then people will continue to do things like this.

And you are correct, someone pointed me to a site just the other day that said "we are on a secure server for your safety" but the form action pointed non a NON-secure shared version of formmail.pl! What comes around goes around, eventually these companies will feel the bite one way or another.