tussy — 2013-03-13T11:33:33-04:00 — #1
Can Credit Card Numbers Be Electronically Transferred? well... i know it's possible. Is it legal and acceptable? If so... what security measures are required or recommended? I'm working with an Amish fellow who wants to sell his goods online. However, he does not want orders processed online. He wants the orders to be sent to him through an Email to Fax program. Orders will then be placed manually.
force — 2013-03-13T11:36:21-04:00 — #2
Email and fax are inherently insecure for transmitting credit card numbers.
If you process credit card numbers, you will have to be PCI compliant.
ted_s — 2013-03-13T12:58:39-04:00 — #3
Put simply it is simply insane to store cards locally unless the business has significant volume and a very special need.
Even forgetting PCI, merchant providers still require an internet order be run as such... no thumbing it in to a POS system.
tussy — 2013-03-13T13:03:31-04:00 — #4
That's pretty much what i expected. Improper PCI-DSS could result in fines as well as a loss of merchant account. The fellow seems pretty determined to manage his sales this way. While i can advise against it. If it comes to losing the account; Will i personally be penalized for setting him up?
felgall — 2013-03-13T14:26:09-04:00 — #5
If he takes you to court to try to recover some of the huge amount it eventually costs him then even though you will probably win you will still end up having to pay quite a bit in legal fees. Best not to help someone do something illegal like that in the first place.
tussy — 2013-03-13T15:20:12-04:00 — #6
ah... so is it illegal? If it's bad practice that's one thing... if it's illegal that's another.
perhaps the most ethical and mutually beneficial solution may be... to work out an arrangement where i manage the e-commerce aspect of his business... i could setup and use my own merchant account to help facilitate and fulfill online orders.
felgall — 2013-03-13T17:23:45-04:00 — #7
Setting up a fully compliant merchant facility is expensive - that's why most sites actually make use of a third party merchant facility. Apart from not having to spend huge amounts of money on setting up a PCI compliant system you also avoid all the risk of being fined if someone finds a hole in your security and manages to obtain any of the credit card numbers as the third party provider you use would be the one taking that risk.
Many banks and a number of other large financial companies offer access to use their payment processor for the processing of online credit card orders. It would just be a matter of finding one that doesn't charge an excessive fee.
Perhaps the easiest way to explain the problem to your client is to explain that one of the conditions for processing credit card orders is that the numbers are not allowed to be stored on a computer that is connected to the internet. As emails are stored on computers attached to the internet they must never contain credit card numbers. If someone were to send their credit card number by email and it was then used by someone else to make purchases then the only person that the card owner would have any chance at all of getting compensated for the loss from would be the person who convinced them to send their email address by email in the first place. The card issuer accepts no responsibility and prohibits such use of credit cards that they issue.