Sage Pay are anticipating minimal disruption (calculated in minutes) while the ip address changes take place – but we have been here before with Sage Pay system upgrades and their track record is not great.

As Internet Service Providers lock onto the ip addresses which name servers use and not the actual names they use we hope that Sage Pay will put in place forwarding from the old ip addresses to the new. If they fail to do this, or fail to do it correctly, or their systems get overloaded with the redirects then you should expect disruption for much longer than a few minutes.

Our advice – if you have alternative payment modules installed but not currently in use, such as Pay Pal, then you should activate them ready for the 17th of April, thus guaranteeing that your customers are able to make payments to you.

Hopefully you won’t need this – but it’s just as well to be prepared!

Link to the Sage Pay email below:
Original Sage Pay Email

SagePay is used by many shops I’ve built and they provide a reliable service with realistic fees. They’re usually top of my list when customers ask for a recommendation. An additional benefit is that they’re developer-friendly (good integration guides and test environment).

www.sagepay.co.uk - the new home for ProtX

Form or Direct?

Sage Pay offers 2 main services: Sage Pay Form where customers go offsite to Sage Pay to pay the invoice & are then returned back to your shop; and Sage Pay Direct where customers stay on your website and only the payment details are sent to Sage Pay.

Both options required the business to have its own internet merchant account. Sage Pay provides a list of compatible banks here: http://www.sagepay.com/developers/industry_knowledge/merchant_acquirers.asp.

The form integration is very simple. The website doesn’t even need an SSL certificate (although we do recommend this for all e-commerce websites). Customers go to the Sage Pay site to pay and are then redirected back to the website. Sage Pay Form comes with the added benefit of PayPal integration.

With Sage Pay Direct, customers stay on the website and only their card details are passed over to Sage Pay. Website will therefore need an SSL certificate and be PCI DSS compliant. Customers enter their card details on checkout_confirmation. If 3D Secure is required, the bank’s 3D Secure page appears. On successful autorisation, customers go the checkout_success page. Voids/Refunds can be processed from within the admin area.

Taking payments

Multi Currency: Sage Pay is in principle multi currency compatible, however accepting multiple currencies must be agreed with the merchant account provider (usually your bank) and can be expensive. If you need to take multiple currencies, check the fees carefully in advance. For smaller shops, PayPal may be a cheaper method to handle several currencies.

MoTo: Sage Pay can provide a virtual terminal for accepting payments in writing and over the phone. Very useful and doesn’t cost anything extra.

Cashflow: Sage Pay transfers the authorised payments into your bank account at the end of each working day cycle. This makes it great for cash flow, especially when compared to PayPal where transfers can take over a week to reach you.

Sage Pay Integration with osCommerce

The form integration is available as standard with all osCommerce shops. It can be found & activated under “Modules -> Payment”.

For the direct integration, we recommend http://forums.oscommerceproject.org/index.php?autocom=downloads&showfile=20 . The module is actively maintained and very reliable.

A paid installation service is also available from TerraNetwork.

In this series, we want to focus on which payment processor to choose. The review is from a UK perspective and offline methods (bank transfer, cheque) are not covered, although for some sites they can be useful (B2B customers often prefer offline payment).

What’s a payment processor and why do I need one?

A payment processor takes care of the card processing. If you’ve got a shop with a terminal for putting through cards, then you may wonder whether you need one. And yes, you do! Don’t ever be tempted to store card details yourself and put them through manually.

Card processors can roughly be divided into the ones where you also need an internet merchant account (IMA) from a bank (e.g. ProtX) and those where you only need an account with payment processor (e.g. PayPal). We’ll be talking more about IMAs in later posts.

Why storing card details
& manual processing is bad for your health

Unless you have a blatant disregard for all things legal, here’s a few pointers of how to handle online payments:

• Never store card details unencrypted in your database. In fact, unless you really have to, never store them fullstop. Shift the risk to your payment processor wherever possible.
• Never use a standard merchant account for internet payments. It’s against bank and card issuer rules you know. see business link for more info
• Never store CV2 numbers as it’s in direct breach of PCI compliancy rules. You are only allowed to use CV2 for immediate authorisation.
• Never compromise security to save a bit of money in processing fees. The fines your bank can charge if you are found to breach rules can be substantial.
• Do use CV2 and AVS (address) checks. AVS will only work within the UK (for UK shops) but both are valuable tools to assess fraud risks.
• Do use a payment processor where you can see the IP address of your customer and check if it matches the country specified in the order.
• Do keep up-to-date with latest rules e.g. via your banks newsletter. Never assume that what you did last year is still okay today.

If you don’t want sleepless nights, sign up with a payment gateway provider. They’ll handle the card details for you, so you don’t store any sensitive data. You’ll still need to keep your shop secure, but the risk is lower.

Recent Card Rule Changes

Our bank sends a friendly newsletter round every few months (usually peppered with bold font, “thou must” and a warning about fines in excess of £10k for non-compliancy). Recent highlights are:

• Compulsory SecureCode (3D Secure) for Maestro cards by end of Feb 09. If you cannot provide this, you must stop accepting Maestro cards online.
• Compulsory CV2 for all phone orders and all non-3D Secure internet transactions
• No continuous use authority payments with Maestro cards (e.g. subscription payments)

Many banks are also now rolling out compulsory PCI compliancy tests for all merchants who take payments online. Banks who we know require PCI compliancy include Barclays and HSBC.

PCI compliancy – the facts

The cardwatch.org site provides this summary:

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory security standard developed by both Visa and MasterCard for the protection and securing of card payment data. Merchants that capture or store card payment information are responsible for the protection and storage of this information. … For merchants who choose not to comply there could be severe financial and reputational consequences.

PCI is becoming more important as banks are trying to combat online fraud. For most shop owners this means quarterly scans by PCI compliancy checkers such as SecurityMetrics. They will scan your server and site for any potential loopholes, plus ask you questions about your in-house procedures.

Is it really that bad?

Yes and No. With fraud continuing to rise, online traders do need to be much more aware of bank / card issuer rules and fraud prevention than ever before. But knowing what to do is half the battle won. If you’re aware of the rules, have a reliable payment processor and treat your customer data in a secure manner, then you shouldn’t be put off accepting payments online.

Resources:

CardWatch
Fraud – The Facts 2009 (PDF)
Business Link: Accepting online payments
Business link: eCommmerce