In this series, we want to focus on which payment processor to choose. The review is from a UK perspective and offline methods (bank transfer, cheque) are not covered, although for some sites they can be useful (B2B customers often prefer offline payment).

What’s a payment processor and why do I need one?

A payment processor takes care of the card processing. If you’ve got a shop with a terminal for putting through cards, then you may wonder whether you need one. And yes, you do! Don’t ever be tempted to store card details yourself and put them through manually.

Card processors can roughly be divided into the ones where you also need an internet merchant account (IMA) from a bank (e.g. ProtX) and those where you only need an account with payment processor (e.g. PayPal). We’ll be talking more about IMAs in later posts.

Why storing card details
& manual processing is bad for your health

Unless you have a blatant disregard for all things legal, here’s a few pointers of how to handle online payments:

• Never store card details unencrypted in your database. In fact, unless you really have to, never store them fullstop. Shift the risk to your payment processor wherever possible.
• Never use a standard merchant account for internet payments. It’s against bank and card issuer rules you know. see business link for more info
• Never store CV2 numbers as it’s in direct breach of PCI compliancy rules. You are only allowed to use CV2 for immediate authorisation.
• Never compromise security to save a bit of money in processing fees. The fines your bank can charge if you are found to breach rules can be substantial.
• Do use CV2 and AVS (address) checks. AVS will only work within the UK (for UK shops) but both are valuable tools to assess fraud risks.
• Do use a payment processor where you can see the IP address of your customer and check if it matches the country specified in the order.
• Do keep up-to-date with latest rules e.g. via your banks newsletter. Never assume that what you did last year is still okay today.

If you don’t want sleepless nights, sign up with a payment gateway provider. They’ll handle the card details for you, so you don’t store any sensitive data. You’ll still need to keep your shop secure, but the risk is lower.

Recent Card Rule Changes

Our bank sends a friendly newsletter round every few months (usually peppered with bold font, “thou must” and a warning about fines in excess of £10k for non-compliancy). Recent highlights are:

• Compulsory SecureCode (3D Secure) for Maestro cards by end of Feb 09. If you cannot provide this, you must stop accepting Maestro cards online.
• Compulsory CV2 for all phone orders and all non-3D Secure internet transactions
• No continuous use authority payments with Maestro cards (e.g. subscription payments)

Many banks are also now rolling out compulsory PCI compliancy tests for all merchants who take payments online. Banks who we know require PCI compliancy include Barclays and HSBC.

PCI compliancy – the facts

The cardwatch.org site provides this summary:

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory security standard developed by both Visa and MasterCard for the protection and securing of card payment data. Merchants that capture or store card payment information are responsible for the protection and storage of this information. … For merchants who choose not to comply there could be severe financial and reputational consequences.

PCI is becoming more important as banks are trying to combat online fraud. For most shop owners this means quarterly scans by PCI compliancy checkers such as SecurityMetrics. They will scan your server and site for any potential loopholes, plus ask you questions about your in-house procedures.

Is it really that bad?

Yes and No. With fraud continuing to rise, online traders do need to be much more aware of bank / card issuer rules and fraud prevention than ever before. But knowing what to do is half the battle won. If you’re aware of the rules, have a reliable payment processor and treat your customer data in a secure manner, then you shouldn’t be put off accepting payments online.

Resources:

CardWatch
Fraud – The Facts 2009 (PDF)
Business Link: Accepting online payments
Business link: eCommmerce