Welcome to WebmasterWorld Guest from

Forum Moderators: buckworks

Message Too Old, No Replies

Pre-order issues for a startup non-US ecommerce business (Paypal?)

9:38 am on Jul 19, 2008 (gmt 0)

New User

5+ Year Member

joined:July 7, 2008
posts: 1
votes: 0


I'm looking at the possibility of setting up a process whereby the customer can pre-order items months in advance, and will only get charged only when the items are ready to be shipped.

Looks like perhaps only with a payment gateway can this be done. Are there any alternative to a payment gateway?

Paypal standard will deduct customers' funds upon checkout, so it's not possible to implement the requirement.

What about Paypal Website Payments Pro? Is there a possiblity to store customers' orders includ. cc details and manually enter the customers orders through the ecommerce store admin interface?


3:07 am on July 24, 2008 (gmt 0)

New User

5+ Year Member

joined:July 1, 2008
posts: 29
votes: 0


The card associations are lately making online orders that rely on pre-authorization (pre-auth) much more difficult.

Different card issuers have different periods and it varies from bank to bank, but the number of days the authorization for the amount (as a "shadow transaction") will be held against the customer's card is going down.

For Card Not Present (Mail Order/Telephone Order, Internet) it can be as low as 2-5 days now.

If you can't rely on pre-auth as your timeframe is so long, storing credit card information with your own merchant account requires you to be Payment Card Industry (PCI) Data Security Standard compliant.

You must store the card number encrypted (or hashed) and you can never store the CVV* past authorization of the card.

(The rules are strict that the CVV must not be stored in any database or also, not on any paper form. Yes, that's right. If you write it down and store it past authorization you are in violation.)

This can be a real problem if your credit card acquirer (gateway) insists on CVV to put through a charge as it means you will have to contact the customer again to get the CVV. Many sites ask the customer to "confirm their order" by entering the card number and CVV again.

So, to be able to perform this business model it appears you would have to break the card association rules on storage of cardholder data. This will be expensive if/when your acquirer finds out.

The card associations are tough on Card Not Present (Mail Order/Telephone Order, Internet) merchants, and give them minimal fraud protection, whilst on the other hand adding requirements like this that can really restrict one's business model.

Of course, your mileage may vary.

*VISA refers to the 3-digit code on the back of the card as CVV2, MasterCard calls it CVC2, and American Express calls it CID or 4DBC and it is 4 digits on the front of the AMEX card.)