Accepting Credit cards without gateway?

[Veloadmin]

Hello, i've been through this before, but i have a client that is trying to tell me he checked into it and as long as he Doesn't store the information, he shoudl be able to collect credit card information (sent to his email) and delete it within 48 hours. I told him about PCI compliance and he claims he talked to a lawyer about it. I'm sure he's wrong on this, but I wanted to see if anyone was doing that and if so is there a module that doesn't use a payment gateway? He said that the gateways charge a fee per transaction and a percentage, and if he runs it in the office he only pays the transaction fee.

Thanks in advance for any help with this issue.

[min0me]

Hi there,

its a bit tricky and it depends how he impliements it

Doing this is more to protect the banks back rather then yours, but if you protect theirs, they will protect yours (if you have done everything they have asked)

If there is anywhere on the website someone is able to enter all 16 digits of the PAN code (the long strip) he will have to complete a PCI complacence '4' at the request of his bank, which will involve yearly costs, quarterly security scans as well as tighter security (including potential audits from the bank to show how everything is handled and what measures are in place in case something does go wrong) when dealing with payments.
Every bank requires this and do heavily subsidise the costs, Barclays approved PCI handler would charge aprox £200. I think Sagepay’s approved PCI handler would charge aprox £100. Its different companies trying to win your business, but they all will meet or exceed the standards the bank wants and also you would have help. There would be someone to call if there was a problem as well as that golden cover.
If he where not to do it and something where to go wrong, its not a simple slap on the wrist, his bank would hold their hands up and he would be 100% liable for anything and everything that can potentially occur.

Payment gateways such as eWay & Sagepay also go though this step, but they do a level 5 which is on par with all the banks so while there is a "fee" to process, you are 100% protected as everything is handled by there systems. Depending how you interface the system, you can techicanilly avoid requiring to do a higher complience as the card numbers are entered on their encrypted page and not yours. Prestashop would only see that payment has been accepted and nothing more, but you would be allowed to login and see all the details of what is being processed by the system which would require a higher level of complience as it would allow you to do refunds, card checks, admenments and so forth.

If he does not want to complete the higher level compliance (I assume to save money) and stay with the basic one for PDQs then his short term options are:

1) Do not take any payment details and call the customer after they have checked out, collect the information and process as he normally would (i would only recomend this one).

2) Use SSL and take part of the PAN number (i.e the first 12 numbers) issue numbers, expiry dates, name on card (NO security strip), call for the missing information and process it as he normally would.

All gateways offer different pricing structures and assuming he uses a PDQ; the transaction fees are negotiable with his bank as he would hopefully increase sales and warrant a further discount or review. Having said that, all banks are just as different and he may get a better deal else where.

our main account is with one, the PDQ is with another.

I suppose you could modify bank transfer or cheque details module to do what you want and make sure you state what is going to happen and that it is purely done to protect them, the customer (not to cut costs).

I would insist on doing it, mainly because it offers that piece of mind for everyone involved, but he SHOULD talk to his bank and again assuming he has a PDQ, talk to their PCI handler for proper advice.

i am not a lawyer, i dont work for the bank, any PCI company, payment gateway, i am mearly reporting what i have expirenced and what i have come to understand from the system.

hopefully it helps, it was ment to be short, but i guess im hoping that it would help more people if i wrote more..

if not, let me know and i will try and clear it up further, not waffle on so much

[Veloadmin]

Thanks for the indepth reply! That will really help me. I was trying to tell him this, but I could tell he thought i was "blowing it up" I told him we had other clients that went through this already. Times have changed since he did his site 5 years ago.

Thanks again!

[min0me]

*posted twice**

[min0me]

no problem

i guess sometimes you have to be firm, if you do the hosting from him, design work or both you have to protect yourself too!
Put a stipulation for thoughs who want to host web shops with you but dont want to become complient because of the extra expence. Something to resolve you of any problems, due to the recomendations not being followed, much like the bank.