Post on 01-Nov-2014
description
Got Your Number!Taking credit card payments online - your options,
security issues and regulations27 August 2008
Payment Options
Providers such as PayPal, Google Checkout
A merchant account and Payment Gateway
PayPal etc. Pros
Quick and easy to implement
Donʼt require a merchant account with a bank
It may be that customers are happier giving their details to these companies than to you
PayPal etc. Cons
Canʼt brand the payment screens
Might be a confusing process
Makes you look like a small company
Lack of trust in PayPal etc.
What do you need?
- merchant account with a bank
- a method of processing the payment into that merchant account (payment gateway service)
- decide which method you want to use to take payments
Payment Gateways
You do not usually need to use the payment gateway owned by the bank you have your merchant account with. Shop around, all providers are not equal in ease of integration, features or costs.
Payment Options
“Pay Page” - card details are entered on the gatewayʼs server
API Integrations - card details are entered on your server
Pay Page
Card details are taken on the payment gateway server
- you have no responsibility for card data
- user goes to third party site
- some gateways allow templates to be uploaded to brand payment page
API Integrations
With an API integration you can keep the user on your server all the time and transmit the card data securely to the payment gateway.
Security of the card data is your responsibility during collection and transmission.
Keeping date secure
Use SSL - install a certificate on your server
- provides encryption for the data transfer
- provides reassurance for the user that you are who you say you are
3-D Secure
You will usually need to implement 3-D Secure (Verified by Visa/MasterCard SecureCode) as part of the API integration.
If using “Pay Page” this will be done for you.
Storing card data
You should not store the card data in your database. Send it to the gateway and let them look after it.
If you really need to...
Storing card data means that you or your client need to take responsibility for the security of that data.
PCI DSS
http://pcisecuritystandards.org
The Payment Card Industry Data Security Standard (PCI DSS) applies to anyone collecting and storing credit card data.
That means you.
What do I need to do?
The standards cover everything from data stored online to that stored in your office
(or on hard disks that get sold on eBay...)
Core principles1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
Thank you!
Rachel Andrew
http://www.edgeofmyseat.com
http://www.rachelandrew.co.uk