Shared Checkout System

Forum Moderators: buckworks

Message Too Old, No Replies

Shared Checkout System

Is this ok to do?

jonpoh

7:15 pm on Apr 25, 2011 (gmt 0)

I am working on a product & checkout system that will let many sellers list items for sale, they will each be able to login and retrieve their orders (and card info) to process with their own individual merchant acct system.

The card info will be stored on the server (PCI compliant and SSL) until they get the order, at that point they delete the card number and exp date.

My service will consist of letting the sellers use my cart system. But I do not process any cards or take any payment from the buying customers. I will take a fee from the each of the sellers based on the number of transactions.

Do any of you know of any reason that this is not allowed by the credit card companies? What should I be looking out for to keep this free of problems?

jwolthuis

2:49 am on Apr 26, 2011 (gmt 0)

The merchant account provider may have an issue with mixed carts from different merchants. In other words, I buy a Widget from Merchant A and a Gadget from Merchant B, then proceed to checkout. How would refunds work? What about chargeback requests for merchandise not as described?

If mixed checkouts aren't permitted by your cart, then I'm missing the point of what you're trying to do, and why a merchant would opt for this arrangement.

jonpoh

10:27 am on Apr 26, 2011 (gmt 0)

Mixed checkouts would not be permitted. This would be for gift cards only for restaurants and services that do not have e commerce websites. Its a niche market. But I already have a few clients who need something like this.

They dont want to spend the money on SSL and PCI compliance and cart set up just to sell a few gift cards, but if they can do it for free and pay a fee per card sold they would jump at it. Each store would have its own subdomain.

I don't think there is a problem with it I just want to be sure that Im not missing something before I roll it out and get 20 or 30 users.

jwolthuis

3:59 pm on Apr 26, 2011 (gmt 0)

But I do not process any cards or take any payment from the buying customers.

They dont want to spend the money on SSL and PCI compliance and cart set up...

I'm not sure how you'd fare in a PCI Audit. On one hand, you're paying for an audit, and must document how credit card data is gathered, transmitted, encrypted, and stashed in a browser session. The fact that you're not storing it in a database is only a small part of the entire picture.

On the other hand, you "don't process cards", and aren't privvy to that card data. (If you *are* privvy to the card data, you *do* process card data, even if it's just for debug purposes).

How do you satisfy the requirements of an audit, when you need to prove the data is firewalled between merchants, and also between a merchant and yourself (since you specifically do not process card data)?

Doesn't the holder of a merchant account (rather than yourself) need to have the audit conducted?

Hoople

11:32 pm on Apr 26, 2011 (gmt 0)

+1 to jwolthuis's comment. One data slip-up and the lawyers would feed on you like a school of piranhas!

Personally I wouldn't consider this at all - feels too much like sharing a toothbrush!