Accepting credit cards online

phaxx

What's the best way to do that cheaply?

(Visa have said that you're not allowed to just write in the details onto the little slips that you give the bank, so I can't just organise secure transfer of the details to the company and let them do it.)

I have looked into paypal.com, but it appears they only accept credit cards within the US - for international cards, you have to go through all the fuss of registering a paypal account, verifying the card and all that, which would confuse your average online shopper, be a pain in the you know what, and people whould just give up and go away, and we don't want that happening...

dahamsta

Don't have time to go into detail now, but have a look at WorldPay and payandshop.com for the moment. WorldPay is quite good, but limited. I don't know anything about payandshop.com, but I've heard good reports about them. If you have money to spend and are expecting some *serious* revenues from web sales, the best system I've come across thus far is Piercom. It *really* rocks - I wrote a PHP interface for it in about a half hour and no-one would ever be able to tell they were going through a third party.

adam

wintermute

I was involved in several projects like this before but more from a security point of view than a development one, but, as far as I know it works like this...

Firstly, you will need to apply for permission to handle credit cards. I think that your Bank will do this for you. Now that you're allowed to accept payment by credit card you'll have all the necessary form etc. to do it over the telephone. I know of two roads that you can go down from here if you want to accept credit cards on-line.

1. DIY

Build your website and hook it into a database backend. Either develop it yourself or buy some commercial e-merchant solution. You will then have to process the CC information manually by extracting the information from the database and filling out the necessary forms (which the bank provided you with) then lodging them in your merchant account (which the bank set up for you). You may also have to register as a "data collector" or whatever they call it to comply with the Data Protection Act since you're storing personal information in a database, but I'm really not sure.

2. Bank provided solution

Bank of Ireland provide a solution whereby you let them do all the CC handling. It basically involves them (the Bank) handling all the CC information and not you. This is done via some discrete SSL link to their end when it comes time to pay. The linked page on their (the Bank) side can be customised to fit in with you company's identity manual so don't worry about it having BoI stamped all over it!

It's called "click-pay" and here's the homepage

http://www.boi.ie/clickpay

This is the only client bank solution that I have played with - I am sure that the other high street banks have similar solutions.

Before you even dream of trading on-line - with either option, employ a professional security consultant / consultancy firm to thoroughly test the system for any potential security problems. I really can not stress this enough - employ a professional - just because you have an SSL enabled webserver does not mean you're secure. I have been involved in cleaning up after CC systems were blown - aswell as a PR nightmare you can also face legal action.

Once again: No matter what you do, please get a professional to lock the system down!

Hope this helps but don't consider this "expert" advice.

phaxx

WorldPay seems to be the cheapest option, clickpay want £600 annually, whereas worldpay are only asking £150.

Any suggestions regarding the professional security people? Sounds rather expensive.

What kind of things were wrong with the systems you've been involved with?

dahamsta

Slightly more time on me hands now. Wintermute, I'm going to use your post for reference, and I'm going to take a couple of digs at it - I hope you don't mind, I'm just pointing out a couple of problems. No offense meant.

<font face="Verdana, Arial" size="2">Firstly, you will need to apply for permission to handle credit cards. I think that your Bank will do this for you. Now that you're allowed to accept payment by credit card you'll have all the necessary form etc. to do it over the telephone.</font>

Ok first of all, what Wintermute is talking about here is a merchant account. Getting a merchant account in Ireland for a small business in Ireland used to be *really* hard, but the process is much better in Ireland these days, now it's just hard. In the old days - last year that is - you had to have an account with your bank for 1-3 years, you couldn't get it from BOI without taking the Clikpay service, and you had to have stacks of documentation to get it. (All they were really short was a urine sample.) These days it's a little bit easier, but you still have to put a fair bit of research into it. It also isn't mandatory for you to get an Irish merchant account, but I'll come back to that in a minute.

<font face="Verdana, Arial" size="2">Build your website and hook it into a database backend. Either develop it yourself or buy some commercial e-merchant solution. You will then have to process the CC information manually by extracting the information from the database and filling out the necessary forms (which the bank provided you with) then lodging them in your merchant account (which the bank set up for you).</font>

Ok, Wintermute could have meant a couple of things here, but I'm going to assume the worst - unless you're an enterprise-class merchant, and you have your own servers, and they're housed in your own premises, and they're as secure as dammit, and your premises are secure as dammit, you never, ever, under any circumstances, store credit card data in a database on your server. For that matter, unless you can possibly avoid it, you don't store personal data in there either. It's just not worth the risk. Even corporations like Amazon and CDnow have been compromised.

In this situation, you accept orders only over an SSL connection, you encrypt the data using public/private key encryption, and you send the information to yourself via email. If you want to store the data then locally, you should process the transaction and re-encrypt it before you store it. If you need to generate stats on sales or something, you decrypt it at runtime and re-encrypt it again. In other words, no matter what you do, the data should never be available in cleartext unless you're actively working with it.

Completely aside from this being the *right* thing to do, it's only a matter of time before it's going to be the *only* thing you can do, since Visa have already introduced guidelines for Internet credit card processing in the US and they're on the way to Europe.

<font face="Verdana, Arial" size="2">You may also have to register as a "data collector" or whatever they call it to comply with the Data Protection Act since you're storing personal information in a database, but I'm really not sure.</font>

Just to clarify, you don't have to actually register, you just need to comply with the DPA. Possibly if you're enterprise-class you have to, but I'm not sure (also). The DPA is pretty easy to comply with really, all it means is that you have to respect people's data. If someone asks you for information about them stored on your computers, you have to tell them. If they ask you to remove your data, you have to remove it, etc. It's really quite simple, and it's explained in simple terms on the Data Protection Commissioner's website.

<font face="Verdana, Arial" size="2">Bank of Ireland provide a solution whereby you let them do all the CC handling. It basically involves them (the Bank) handling all the CC information and not you. This is done via some discrete SSL link to their end when it comes time to pay. The linked page on their (the Bank) side can be customised to fit in with you company's identity manual so don't worry about it having BoI stamped all over it!</font>

Ok, some people aren't going to like this, but I'm going to say it anyway - the last time I looked Clikpay was run on NT servers, and I'm sorry, but that's just not good enough for me. Yes, I know, a network or a machine is as secure as you make it, and you can make NT secure, but it's still not enough for me. It'll never be enough for me. So that's got my Clikpay bias out of the way, here's the facts:

Clikpay is basically a system whereby you install a small piece of BOI-supplied software on your server. When you want to process a transaction, you "talk" to the BOI software, which handles the process from there, verifying card details, processing transactions, etc. As I mentioned in my previous post, Piercom also run a system like this, but it's much more capable. For a start, you can write your own code to interact with the Piercom servers. That means you can output your own messages and responses and *really* control what's going on. In other words, it's not just branded, it's controllable. But it's also *very* expensive.

The alternative is something like WorldPay, where you set up an account and a merchant account with them (it's much easier these days than ever before). Then all you have to do is send the transaction to the WorldPay server in the correct format using regular HTML forms. Or alternatively, you can simply use their Click and Build system, which will even build a wee webstore for you. It's really pretty good. Manky like, but it does the job.

<font face="Verdana, Arial" size="2">Before you even dream of trading on-line - with either option, employ a professional security consultant / consultancy firm to thoroughly test the system for any potential security problems. I really can not stress this enough - employ a professional - just because you have an SSL enabled webserver does not mean you're secure. I have been involved in cleaning up after CC systems were blown - aswell as a PR nightmare you can also face legal action. Once again: No matter what you do, please get a professional to lock the system down!</font>

Ditto, ditto, ditto. I can't stress this any more than Wintermute - remember, it's people's credit cards and personal information you're playing with here, you can't afford to take *any* chances.

Anyway, that's my lot for now. If you have any more questions, don't be afraid to ask. I won't bite. Well, not hard anyway.

HTH,
adam

dahamsta

<font face="Verdana, Arial" size="2">WorldPay seems to be the cheapest option, clickpay want £600 annually, whereas worldpay are only asking £150.</font>

I usually try to avoid pushing people down one particular route, but I think WorldPay is the best solution for you. It's relatively cheap and it's relatively easy to set up. I wouldn't discount the payandshop.com one completely though, it's getting very good reviews on the Enterprise Ireland ebusiness_discussion list at the moment. Again though, I don't know anything about it. If you find out, it would be nice if you posted some information here.

<font face="Verdana, Arial" size="2">Any suggestions regarding the professional security people? Sounds rather expensive.</font>

It should be. If you're paying less than £100 an hour, you're not getting a very good security consultant. And that's cheap. Sorry, I only know one guy and I'm keeping him for myself.

adam

phaxx

So, you're saying that with clickpay, the server the whole thing is hosted on has to be NT? (or switch to an NT one for the final page)

If that's the case, clickpay is out.

The business already has a merchant account, but as I mentioned earlier, Visa said nobody is allowed to just write in the data onto the little slips that the company would give the bank.

So with a worldpay account, what I'd do at the end of the whole thing is present the user with a form asking for all the details, and have it sent to something at worldpay? (I'm assuming the secure connection can be created ok at *this* point (by worldpay's servers) and doesn't have to be in place for the form to be presented to the user)

What I mean by "sent to something at worldpay", <form action="https://www.worldpay.com/....&quot; ...

Any recommendations on who to get to poke at my code and make sure it's safe?

Thanks for the information guys, much appreciated.

[This message has been edited by phaxx (edited 09-07-2001).]

dahamsta

<font face="Verdana, Arial" size="2">So, you're saying that with clickpay, the server the whole thing is hosted on has to be NT? (or switch to an NT one for the final page)</font>

I'm not 100% sure, but the last time I looked Clikpay was only supported on NT.

<font face="Verdana, Arial" size="2">The business already has a merchant account, but as I mentioned earlier, Visa said nobody is allowed to just write in the data onto the little slips that the company would give the bank.</font>

Who did you talk to in Visa? I have a merchant account (three in fact, but that's another story!) and my bank had me sign an addendum to my contract that allows me to: a) accept "cardholder not present" transactions (i.e. mail and phone order); and b) accept online orders. I don't know what the sitauation is with you, but I'm taking the banks word for it anyway.

<font face="Verdana, Arial" size="2">So with a worldpay account, what I'd do at the end of the whole thing is present the user with a form asking for all the details, and have it sent to something at worldpay? (I'm assuming the secure connection can be created ok at *this* point (by worldpay's servers) and doesn't have to be in place for the form to be presented to the user) What I mean by "sent to something at worldpay", <form action="https://www.worldpay.com/....&quot; ...</font>

Yip. You take the order details, and when it comes to the credit card transaction you add it all up and put the data in a particular format in your form (currency, amount, description, etc.) That form points to WorldPay, and when the user completes their transaction on WorldPay, you have several ways of coming back to your own site. Take a look at http://www.annecollins.com for an example, nothing is logged before the transaction so you can go right through to the WorldPay page.

<font face="Verdana, Arial" size="2">Any recommendations on who to get to poke at my code and make sure it's safe?</font>

Honestly, no. I'd say a post in the security forum wouldn't go astray though.

<font face="Verdana, Arial" size="2">Thanks for the information guys, much appreciated.</font>

No problem.

adam

Magwitch

WinterMute is spot on. Clikpay from bank of Ireland is free for the first full year. It is also an accountable bank around every street corner in Ireland.

wintermute

<font face="Verdana, Arial" size="2">Originally posted by phaxx:
What kind of things were wrong with the systems you've been involved with?
</font>

They hadn't secured them properly and/or had very bad operational procedures in effect. Projects like this require *proper* planning, not a quick meeting in the boardroom!

<font face="Verdana, Arial" size="2">Originally posted by phaxx:
So, you're saying that with clickpay, the server the whole thing is hosted on has to be NT? (or switch to an NT one for the final page)
</font>

I don't think that's 100% true, BoI "recommend" NT but from the documentation they provided me with over a year ago, the bit that goes on your host will work with on a UNIX platform.

But the only way to find out is to ring them up and as for some promotional junk.

<font face="Verdana, Arial" size="2">Originally posted by phaxx:

Any recommendations on who to get to poke at my code and make sure it's safe?
</font>

I am not in the business of using a public BBS to solicit new clients but my profession is IT security. If you want to, post your email address an we can correspond privately on the matter further. And, I'm not particularly looking to take a new client on board either, but I feel a public forum isn't the appropriate place to discuss the pros and cons of different security measures you may have in effect on your systems or which security consultancy firm is best.

Hope this helps.



[This message has been edited by wintermute (edited 10-07-2001).]

-Toppy-

I have used a combination of Worldpay (2 sites) Realex (Pay and Shop) 3 sites (1 perl, 2 php) and attempted to do a clikpay setup.
But to be honest I still see no attraction with clikpay, bar the fact of the problem of getting SSL installed (or even the cost of a cert) the fact that you have to mind lots of data carefully.

Whereas with payandshop or realex all the processing is done off site no ssl needed away ya go. All you need really is a Merchant account. I would definately recommend realex, no problems ever with their stuff. I will have to look at Piercom at some stage though, always good to have alternatives

HTH
Toppy

mneylon

Why is an ancient post being dragged up??
There were a number of discussions on this subject recently which incorporated the latest news etc.

dynamic.ie

Here's 2 posts I posted a week or so ago, that explains a lot. Hope it helps:

To accept payments online you need 3 things:

- website capable of accepting orders
- payment service provider (psp) for processing payments
- merchant account for remitting funds to

Euroconex provide merchant accounts and are a psp as well. They do this on behalf of Bank of Ireland so if you go for a merchant account with BOI, they will pass you to euroconex. Their psp is called clikpay. You can open up a merchant account with them and get a psp elsewhere. For a new account with euroconex with transaction levels of less than EUR 2 million per month, your looking at about 3.5% charge on the value you put through them. It takes about 10-14 days to get a live account with euroconex which is quite good.

Worldpay also provide this merchant account / psp service but their rates are 3.95%, as far as I remember, and they hold your money for 4 weeks before remitting it to your bank account.

You could try Ulster Bank. You can negotiate with them cause they are 3rd in the market and want new customers. You can get around 2 or 2.5% for a new account. Word of warning... they use the Royal Bank of Scotland for their merchant accounts so all processing of new accounts and risk check must go to the UK and back to you and back to the UK and back, etc. Any of my customers that have gone this route have complained about the length of time it takes to get the account with Ulster Bank (around 4-8 weeks) but they are happy with the rates once they get it.

Don't know much about AIB's but I think they are similar to BOI.

Choose your merchant account based on service and the best rate. After that choose who you want as a PSP. Don't use euroconex's ClikPay, it's crap compared to the alternative. The best around in Ireland is RealexPayments (payandshop). The service is great and the lads over there are really helpful... they'll appreciate your business and make you feel like a valued customer, unlike some bigger companies, who seem not to give a s*** if you do business with them or not.

In short here are your options:

1. euroconex and realex
2. euroconex and clikpay
3. aib and realex
4. ulster bank and realex
5. worldpay
6. paypal

There are probably more in the irish market but these are the main ones off the top of my head. You need a US or UK bank account to remit funds to if you use paypal. They don't remit to any irish bank accounts yet... they say because of security when I was talking to them.

There is more info on our company website about this: http://www.dynamic.ie/ecommerce

Here are some links for you to check out:

http://www.realex.ie
http://www.euroconex.com
http://www.worldpay.com
http://www.paypal.com

Hope that doesn't confuse you but gives you a good bit of info. My suggestion is to use realex and euroconex. Once you have the euroconex account, you don't have to deal with them that much at all. You deal with realex for the payment processing and they have some great systems in place such as fraud scoring, online terminal, etc.

I know it can get a bit confusing sometimes, especially starting out. I'll try and explain some of it for you.

Eurconex (Clickpay is a service euroconex provide) offer an online merchant account so that you can accept payments via the web. When payments are received through this account, they are put into your bank account whether its BOI, AIB, Ulster Bank, etc.

In addition to the online merchant account, you need to have a Payment Service Provider (PSP) to do the payment processing for you. Now, Eurconex can provide you with their in house system to do this called Clikpay or you can use someone else, e.g. Realex.

In terms of why use clikpay and don't bother with realex.... it's all about quality and service. You get a much higher level of service from Realex and the lads over there are great at helping you get set up. Their online control panel for viewing and processing payments is 10 times better than clikpay. I have worked with both systems and find that Realex is much better... all round!

Someone correct me if I am wrong but is the price better with Realex. If you use Realex, minimum charge is EUR 49 per month but I think if you use Clikpay its a minimum of EUR 127 (I'm not sure about the Clikpay charge, I can't remember). Really, costs wise, it's not that much to use Realex. EUR 49 per month gets you 50 transactions processed.

Hope they help!!!

I think there should be a sticky with this type of info put in it for future questions on the same topic.

Cheeurs,

Dave