E-commerce/online store product that lets vendor see full credit card #?

Discussion in 'Web Design and Development' started by nagromme, Apr 5, 2012.

  1. nagromme macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #1
    I’m helping a company choose an e-commerce/shopping cart system, and they have an unusual requirement: they do NOT want credit cards processed automatically. They need to simply see the credit card info in human-readable form, for them to process manually. Just like they already handle their telephone orders, in other words. Old-fashioned, I know—but this requirement is set in stone.

    Any recommendations on an existing shopping cart platform that can allow this? Ideally, a turnkey host (like Shopify, but they cannot do this). Failing that, then proven software we can install on a web server.

    We’d rather use an existing, proven product than re-invent the wheel with some expensive custom back-end.

    Thanks for any recommendations!
     
  2. Cromulent macrumors 603

    Cromulent

    Joined:
    Oct 2, 2006
    Location:
    The Land of Hope and Glory
    #2
    You really need to make sure that the company understands the following requirements:

    http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

    these lay out a set of requirements that ecommerce retailers must follow. If they are found to not be in compliance if they get hacked then the retailer could be found liable for any losses that may occur.
     
  3. Interstella5555 macrumors 603

    Interstella5555

    Joined:
    Jun 30, 2008
    #3
    That's a really...terrible idea, I definitely wouldn't use a CC on a site like that.
     
  4. x Nadzy x macrumors newbie

    Joined:
    Apr 5, 2012
    #4
    Why don't you make customers fill out forms? i.e.

    Type credit card number below:
    12345678910

    That could help them check?
     
  5. Apple Key macrumors 6502a

    Apple Key

    Joined:
    Jan 4, 2012
    #5
  6. nagromme thread starter macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #6
    Good link—I’ll pass that along, thanks. (I’m definitely telling them that their lawyer has to judge all the legalities—that’s beyond my area!)

    The #s certainly need to be stored encrypted, as well as being purged once the order is filled.


    Thanks! Shop-Script does look promising! I’ll dig further, and if it looks like a proven/trusted solution, it may be just what they need.
     
  7. Apple Key macrumors 6502a

    Apple Key

    Joined:
    Jan 4, 2012
    #7
    Cool! Let me know what you decide to go with in the end. I happened to come across a site that used that system a while back.
     
  8. nagromme thread starter macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #8
    Will do. Also, FWIW, someone mentioned Volusion to me; supposedly they can enable CC# viewing via a support ticket, as a “hidden feature.” I’m looking into it.
     
  9. gnasher729 macrumors P6

    gnasher729

    Joined:
    Nov 25, 2005
    #9
    Could you tell us the name of the company, so we can avoid using them? And can you tell them that people are asking for the name of the company, so they can avoid using it?
     
  10. nagromme thread starter macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #10
    If you’re like me, it won’t matter because you’ll never buy online from ANY company unless it’s a major world brand (Amazon, Apple) or at least uses a major brand for the transaction (PayPal). I would never use my credit card with a small business, sad to say, because you never have any idea what their procedures are. If I really need something, they can have a money order.

    I’d prefer to avoid swiping my card at local restaurants/stores, actually... but I get hungry!

    And luckily the cards themselves have some level of fraud protection. The financial risk if security is flawed is probably greater for the vendor than for one shopper. Be sure to check your statements...
     
  11. aldismiller macrumors newbie

    Joined:
    Jul 24, 2012
    Location:
    Florida
    #11
    Its better to do research for the local brands before swiping cards rather than not swiping card at all.. It may add a new brand name on the list of your trustable brands
     
  12. nagromme thread starter macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #12
    I like buying local... but research won’t help; paying cash will :) And I don’t like to carry a lot of cash, so I stomach the risk. (Plus credit card companies have gotten fairly good at detecting fraud even before you do. If you use a credit casd—not a debit card—you’re not responsible for the fraudulent purchases. At least in the US.)

    Even if the store/brand is very trusted, criminals can sneak gizmos onto the payment terminals, and individual employees can be dishonest. I had my card stolen, and it most likely happened this way:

    1. I paid using my credit card at a trusted restaurant or store: maybe a local business, maybe a chain.

    2. My card was recorded, including the invisible data that’s only present in the magnetic stripe. So either the swipe terminal in the store/restaurant was modified/hacked, or some cashier/waitress carried an extra device to swipe with and store cards. (At restaurants where they take your card away from the table charge it, there’s a chance for them to do something like that. Plus, they might be using a hacked swiper and not even know it—and you yourself can’t see the swiper so you have no chance to notice if something looks odd. You have to trust the staff to catch on to it, which they often don't.)

    3. I got my card back at the store, none the wiser, but the whole batch of stolen card info (including mine) was sold to the “real” criminal by the cashier/waitress, or collected from the hacked swiper.

    4. The criminal waited 3-6 months, not using the info, so that by the time fraud was committed, the trail would be cold. Maybe a pattern of fraud can be detected, but even if they think they know the store where the numbers were taken, six months later witnesses and evidence are harder to come by.

    5. The criminal manufactured duplicates of the cards (including mine) using fairly cheap equipment that makes fairly convincing fake cards, magnetic data and all.

    6. The criminal took the cards to various other cities (or hired lower-level thieves to do it) and bought easily-sold items like electronics from big chain stores. The frauds are committed hundreds of miles away from where the card was stolen, and of course signatures are seldom checked; if the store wants to see a signed driver’s license, the thief just has to say he must have lost it. My card’s clone was used to buy hundreds of dollars of stuff from Wal-Mart. (That’s where at least a low-level criminal might be caught on camera, but they probably wear a hood or hat, and even if caught it may not trace back to the higher-up criminal. The guy buying the stuff in Wal-Mart probably has no idea who originally stole the card info.)

    7. The criminal(s) then sell the stolen merchandise. Lots of ways to do that without being easily traced. Much smarter than actually getting a merchant account and directly charging the card, which would be caught and stopped at once.

    8. Sooner or later (probably sooner) the activity is likely to get flagged by the credit card company. For instance, those purchases were in a city I’d where I’d never used my card before, and Discover noticed that.

    9. The card company then disables the card (better safe than sorry) and the next time you OR the criminal use it the card is declined. (Hope you brought cash to the next restaurant!) Then you have to call the card company, find out why, and when they ask if those purchases were legitimate, this is the first you’ve heard of it! This is when the crime is finally first detected. Discover sent me a new card and started an investigation that went nowhere.

    10. So the criminal can no longer use that particular card, but they have others. Sometimes even the very first attempted fraud gets declined, but other times they’re able to make a shopping trip or two before they get cut off. Stuff to sell = profit!

    11. Maybe some of the criminals get caught. Maybe not. Rinse and repeat.
     
  13. fig macrumors 6502a

    fig

    Joined:
    Jun 13, 2012
    Location:
    Austin, TX
    #13
    You're not responsible for fraudulent purchases with a debit card either, it just get a hair more complicated to refund.
     
  14. mikelegacy macrumors 65816

    mikelegacy

    Joined:
    Dec 5, 2010
    Location:
    Pittsburgh, PA
    #14
    If a company openly displays a customers CC number in a database, and said. Database gets hacked, that company is responsible for all losses. I would tell this company to eff off and not do this. You are not only doing something that could fall back on them, but also on you. Stop now while you are ahead.
     
  15. CTYankee macrumors 6502

    Joined:
    Jul 18, 2002
    #15
    This puts them entirely in PCI scope. That means they need a secure server, quarterly audits, and a lot of other expensive overhead. As a web developer you need to stand by ethics and standards and see they follow PCI rules or walk away from the project.
     

Share This Page