Taking payments online is the heart of each eCommerce site. If your customers can’t pay you, then your shop loses its purpose.
In this series, we want to focus on which payment processor to choose. The review is from a UK perspective and offline methods (bank transfer, cheque) are not covered, although for some sites they can be useful (B2B customers often prefer offline payment).
What’s a payment processor and why do I need one?
A payment processor takes care of the card processing. If you’ve got a shop with a terminal for putting through cards, then you may wonder whether you need one. And yes, you do! Don’t ever be tempted to store card details yourself and put them through manually.
Card processors can roughly be divided into the ones where you also need an internet merchant account (IMA) from a bank (e.g. ProtX) and those where you only need an account with payment processor (e.g. PayPal). We’ll be talking more about IMAs in later posts.
Why storing card details
& manual processing is bad for your health
Unless you have a blatant disregard for all things legal, here’s a few pointers of how to handle online payments:
- Never store card details unencrypted in your database. In fact, unless you really have to, never store them fullstop. Shift the risk to your payment processor wherever possible.
- Never use a standard merchant account for internet payments. It’s against bank and card issuer rules you know. see business link for more info
- Never store CV2 numbers as it’s in direct breach of PCI compliancy rules. You are only allowed to use CV2 for immediate authorisation.
- Never compromise security to save a bit of money in processing fees. The fines your bank can charge if you are found to breach rules can be substantial.
- Do use CV2 and AVS (address) checks. AVS will only work within the UK (for UK shops) but both are valuable tools to assess fraud risks.
- Do use a payment processor where you can see the IP address of your customer and check if it matches the country specified in the order.
- Do keep up-to-date with latest rules e.g. via your banks newsletter. Never assume that what you did last year is still okay today.
If you don’t want sleepless nights, sign up with a payment gateway provider. They’ll handle the card details for you, so you don’t store any sensitive data. You’ll still need to keep your shop secure, but the risk is lower.
Recent Card Rule Changes
Our bank sends a friendly newsletter round every few months (usually peppered with bold font, “thou must” and a warning about fines in excess of £10k for non-compliancy). Recent highlights are:
- Compulsory SecureCode (3D Secure) for Maestro cards by end of Feb 09. If you cannot provide this, you must stop accepting Maestro cards online.
- Compulsory CV2 for all phone orders and all non-3D Secure internet transactions
- No continuous use authority payments with Maestro cards (e.g. subscription payments)
Many banks are also now rolling out compulsory PCI compliancy tests for all merchants who take payments online. Banks who we know require PCI compliancy include Barclays and HSBC.
PCI compliancy – the facts
The cardwatch.org site provides this summary:
The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory security standard developed by both Visa and MasterCard for the protection and securing of card payment data. Merchants that capture or store card payment information are responsible for the protection and storage of this information. … For merchants who choose not to comply there could be severe financial and reputational consequences.
PCI is becoming more important as banks are trying to combat online fraud. For most shop owners this means quarterly scans by PCI compliancy checkers such as SecurityMetrics. They will scan your server and site for any potential loopholes, plus ask you questions about your in-house procedures.
Is it really that bad?
Yes and No. With fraud continuing to rise, online traders do need to be much more aware of bank / card issuer rules and fraud prevention than ever before. But knowing what to do is half the battle won. If you’re aware of the rules, have a reliable payment processor and treat your customer data in a secure manner, then you shouldn’t be put off accepting payments online.
Resources:
CardWatch
Fraud – The Facts 2009 (PDF)
Business Link: Accepting online payments
Business link: eCommmerce
Maestro refusing continuous authority payments is causing huge difficulties as our site offers ongoing payments for selling personalised number plates. Unfortunately, it means we’re unable to accept Maestro, and we know we’re losing customers as a result. We know because our customers are telling us!
Yes, it’s a considerable issue for anybody taking subscription payments. With our hosting business we’ve got the same issue with monthly payments. It’s also difficult to explain to customers that some cards are debited automatically, whilst others need manual payment – very confusing for customers and a real hassle leading to frustration and extra cost (support time).
To use PayPal Pro, PCI compliance seems to be a requirement. Are there any other processing solutions available that allow for the collection of CC data on-site and don’t require PCI compliance? If not, is it possible to become PCI compliant on TerraNetwork’s shared servers? Regards, Steven.
Hi Steven – for support and site-specific queries, please open a support ticket: https://support.terranetwork.net/web/submitticket.php?step=2&deptid=3.
Yes, our shared servers do pass PCI compliancy test. PCI compliancy also encompasses your site though so you in addition to server settings (which we’d handle), you may also need to update your site to pass. Once you run PCI compliancy test, the error messages will tell you which areas need looking at.
PCI compliancy is increasingly being required by many banks, so there’s little value in moving to a different system just to avoid it. E.g. most banks who issue merchant accounts require PCI compliancy, so even if you e.g. have an offsite payment system such as ProtX Form, you’d still need to pass the test if your bank requires it. Passing is normally not complicated and we’d be here via support ticket to help with any server-specific requirements.
I would like to know the different between 3D secure and non-3D account. The pro’s and con’s of the system. Thanks alot! Regards Allan.
A Bank is either part of the 3D Secure scheme or not. You do not have any choice about it. If a Bank is part of the 3D Secure scheme and the cards they issue (Visa, Mastercard etc. branded by the Bank) are part of the 3D Secure scheme then customers who use those cards in an online environment will be asked to validate their payment using their 3D Secure password.
Card owners who have not yet signed up to get a 3D Secure password will (mostly) be allowed to make up to 3 online purchases bypassing 3D Secure, but all further payment will have to be validated with a 3D Secure password or they will fail.
The exception is Maestro cards, which must be 3D validated when used online.
If you, as a site owner, use a payment module which does not ask for 3D Secure validation for Maestro cards then you can be in breach of your Bank/Card Company agreement.
Rhea (Vger)
So what is the pro’s and con’s of 3D-Secure and non 3D-secure? i would like to more know about the good and the bad. Will 3D-secure make the transaction more faster? Or non-3D is more efficient to use for online transaction?
Hi. I would like to know whats the different between 2CheckOut & Paypal. Please advice as I need a competent provider. I would like to know what good and bad regarding these 2 provider. Thanks. Your information is very helpful to me.
Hi, We never use 2CheckOut, so I’m afraid we cannot help you with any question regarding their services. Pay Pal is a third party payment provider which allows people to pay you in many currencies in use across the world without, in most cases, you having to get an Internet Merchant ID from your Bank.
You can set up a Pay Pal account for free and there are no monthly charges for using the account and no Internet Merchant ID required – unless you use the Pay Pal Pro service. The downside is that their “per-transaction” fees (in percentage terms) are quite high.
Pay Pal is a good option for start-up businesses which have a low sales turnover and low transaction value. If your sales turnover is high or your individual sales have a high value then you should look at other alternatives. What those alternatives are depend upon where in the world your website operates from.
Vger
Using 3D Secure is not a choice in many cases. All UK Maestro Card online transactions MUST use 3D Secure, and in due time that will also apply to all Visa and MasterCard online payments (though not yet a requirement for those 2 card types). It won’t speed up the process, as it adds another layer to the payment process.
What it will do, provided that a payment has been fully authenticated using 3D Secure, is to pass the responsibility for a chargeback on that payment to the Bank and not yourself. The Bank will still ask you to accept the chargeback, but it will be up to you to accept it or not. For instance, if you shipped goods abroad with a high value, which you have no chance of recovering, then you can just tell the Bank that you don’t accept the chargeback.
The upside is that you don’t lose any money on that transaction, whilst the downside is that the Bank will probably put you into a “High Risk” category and impose further security restrictions upon you.
Vger
I use paypal on my website, seems people trust it as they know they aren’t sharing their card details with you etc. They also have a recurring payment option so if you were wanting to bill someone monthly, you could do. Works find for me