Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

nagromme

macrumors G5
Original poster
May 2, 2002
12,546
1,196
I’m helping a company choose an e-commerce/shopping cart system, and they have an unusual requirement: they do NOT want credit cards processed automatically. They need to simply see the credit card info in human-readable form, for them to process manually. Just like they already handle their telephone orders, in other words. Old-fashioned, I know—but this requirement is set in stone.

Any recommendations on an existing shopping cart platform that can allow this? Ideally, a turnkey host (like Shopify, but they cannot do this). Failing that, then proven software we can install on a web server.

We’d rather use an existing, proven product than re-invent the wheel with some expensive custom back-end.

Thanks for any recommendations!
 
I’m helping a company choose an e-commerce/shopping cart system, and they have an unusual requirement: they do NOT want credit cards processed automatically. They need to simply see the credit card info in human-readable form, for them to process manually. Just like they already handle their telephone orders, in other words. Old-fashioned, I know—but this requirement is set in stone.

Any recommendations on an existing shopping cart platform that can allow this? Ideally, a turnkey host (like Shopify, but they cannot do this). Failing that, then proven software we can install on a web server.

We’d rather use an existing, proven product than re-invent the wheel with some expensive custom back-end.

Thanks for any recommendations!

You really need to make sure that the company understands the following requirements:

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

these lay out a set of requirements that ecommerce retailers must follow. If they are found to not be in compliance if they get hacked then the retailer could be found liable for any losses that may occur.
 
Why don't you make customers fill out forms? i.e.

Type credit card number below:
12345678910

That could help them check?
 
You really need to make sure that the company understands the following requirements:

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

these lay out a set of requirements that ecommerce retailers must follow. If they are found to not be in compliance if they get hacked then the retailer could be found liable for any losses that may occur.

Good link—I’ll pass that along, thanks. (I’m definitely telling them that their lawyer has to judge all the legalities—that’s beyond my area!)

The #s certainly need to be stored encrypted, as well as being purged once the order is filled.


I have no experience using this product, but would this fit the bill for what you're looking for?

http://www.shop-script.com/

Link to manual indicating manual payment support:
http://www.webasyst.net/support/shop/manual.html#Payment-methods

Thanks! Shop-Script does look promising! I’ll dig further, and if it looks like a proven/trusted solution, it may be just what they need.
 
Thanks! Shop-Script does look promising! I’ll dig further, and if it looks like a proven/trusted solution, it may be just what they need.

Cool! Let me know what you decide to go with in the end. I happened to come across a site that used that system a while back.
 
Will do. Also, FWIW, someone mentioned Volusion to me; supposedly they can enable CC# viewing via a support ticket, as a “hidden feature.” I’m looking into it.
 
I’m helping a company choose an e-commerce/shopping cart system, and they have an unusual requirement: they do NOT want credit cards processed automatically. They need to simply see the credit card info in human-readable form, for them to process manually. Just like they already handle their telephone orders, in other words. Old-fashioned, I know—but this requirement is set in stone.

Any recommendations on an existing shopping cart platform that can allow this? Ideally, a turnkey host (like Shopify, but they cannot do this). Failing that, then proven software we can install on a web server.

We’d rather use an existing, proven product than re-invent the wheel with some expensive custom back-end.

Thanks for any recommendations!

Could you tell us the name of the company, so we can avoid using them? And can you tell them that people are asking for the name of the company, so they can avoid using it?
 
If you’re like me, it won’t matter because you’ll never buy online from ANY company unless it’s a major world brand (Amazon, Apple) or at least uses a major brand for the transaction (PayPal). I would never use my credit card with a small business, sad to say, because you never have any idea what their procedures are. If I really need something, they can have a money order.

I’d prefer to avoid swiping my card at local restaurants/stores, actually... but I get hungry!

And luckily the cards themselves have some level of fraud protection. The financial risk if security is flawed is probably greater for the vendor than for one shopper. Be sure to check your statements...
 
Its better to do research for the local brands before swiping cards rather than not swiping card at all.. It may add a new brand name on the list of your trustable brands
 
Its better to do research for the local brands before swiping cards rather than not swiping card at all.. It may add a new brand name on the list of your trustable brands

I like buying local... but research won’t help; paying cash will :) And I don’t like to carry a lot of cash, so I stomach the risk. (Plus credit card companies have gotten fairly good at detecting fraud even before you do. If you use a credit casd—not a debit card—you’re not responsible for the fraudulent purchases. At least in the US.)

Even if the store/brand is very trusted, criminals can sneak gizmos onto the payment terminals, and individual employees can be dishonest. I had my card stolen, and it most likely happened this way:

1. I paid using my credit card at a trusted restaurant or store: maybe a local business, maybe a chain.

2. My card was recorded, including the invisible data that’s only present in the magnetic stripe. So either the swipe terminal in the store/restaurant was modified/hacked, or some cashier/waitress carried an extra device to swipe with and store cards. (At restaurants where they take your card away from the table charge it, there’s a chance for them to do something like that. Plus, they might be using a hacked swiper and not even know it—and you yourself can’t see the swiper so you have no chance to notice if something looks odd. You have to trust the staff to catch on to it, which they often don't.)

3. I got my card back at the store, none the wiser, but the whole batch of stolen card info (including mine) was sold to the “real” criminal by the cashier/waitress, or collected from the hacked swiper.

4. The criminal waited 3-6 months, not using the info, so that by the time fraud was committed, the trail would be cold. Maybe a pattern of fraud can be detected, but even if they think they know the store where the numbers were taken, six months later witnesses and evidence are harder to come by.

5. The criminal manufactured duplicates of the cards (including mine) using fairly cheap equipment that makes fairly convincing fake cards, magnetic data and all.

6. The criminal took the cards to various other cities (or hired lower-level thieves to do it) and bought easily-sold items like electronics from big chain stores. The frauds are committed hundreds of miles away from where the card was stolen, and of course signatures are seldom checked; if the store wants to see a signed driver’s license, the thief just has to say he must have lost it. My card’s clone was used to buy hundreds of dollars of stuff from Wal-Mart. (That’s where at least a low-level criminal might be caught on camera, but they probably wear a hood or hat, and even if caught it may not trace back to the higher-up criminal. The guy buying the stuff in Wal-Mart probably has no idea who originally stole the card info.)

7. The criminal(s) then sell the stolen merchandise. Lots of ways to do that without being easily traced. Much smarter than actually getting a merchant account and directly charging the card, which would be caught and stopped at once.

8. Sooner or later (probably sooner) the activity is likely to get flagged by the credit card company. For instance, those purchases were in a city I’d where I’d never used my card before, and Discover noticed that.

9. The card company then disables the card (better safe than sorry) and the next time you OR the criminal use it the card is declined. (Hope you brought cash to the next restaurant!) Then you have to call the card company, find out why, and when they ask if those purchases were legitimate, this is the first you’ve heard of it! This is when the crime is finally first detected. Discover sent me a new card and started an investigation that went nowhere.

10. So the criminal can no longer use that particular card, but they have others. Sometimes even the very first attempted fraud gets declined, but other times they’re able to make a shopping trip or two before they get cut off. Stuff to sell = profit!

11. Maybe some of the criminals get caught. Maybe not. Rinse and repeat.
 
I like buying local... but research won’t help; paying cash will :) And I don’t like to carry a lot of cash, so I stomach the risk. (Plus credit card companies have gotten fairly good at detecting fraud even before you do. If you use a credit casd—not a debit card—you’re not responsible for the fraudulent purchases. At least in the US.)

You're not responsible for fraudulent purchases with a debit card either, it just get a hair more complicated to refund.
 
If a company openly displays a customers CC number in a database, and said. Database gets hacked, that company is responsible for all losses. I would tell this company to eff off and not do this. You are not only doing something that could fall back on them, but also on you. Stop now while you are ahead.
 
I’m helping a company choose an e-commerce/shopping cart system, and they have an unusual requirement: they do NOT want credit cards processed automatically. They need to simply see the credit card info in human-readable form, for them to process manually. Just like they already handle their telephone orders, in other words. Old-fashioned, I know—but this requirement is set in stone.

This puts them entirely in PCI scope. That means they need a secure server, quarterly audits, and a lot of other expensive overhead. As a web developer you need to stand by ethics and standards and see they follow PCI rules or walk away from the project.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.