I've been in a debate with someone in the past over this, and I really need a conclusive answer (with references) to make a point to someone.
Let's say I run an e-commerce business, we're on a fully PCI-DSS compliant server and only advertise and endorse secure transactions. Now let's say a customer sends me his or her credit card information unencrypted in plain text via an email to this server, and while we don't endorse that we still charge the card anyway, manually over something like the Authorize.net virtual terminal.
Does this violate the PCI-DSS? More importantly, in matters of legal liability has the business opened itself up to more? Specifically to what extent and what kinds?
Any responses are appreciated, thanks a ton.
Latest News: (loading..)
0
3 replies to this topic
#2
Posted 07 November 2008, 20:52
I think that it would depend upon the exact wording of your Merchant Agreement. No one is likely to care what you endorse or solicit if you get into trouble. If the wording of the Agreement is vague, then assume the worst and do not accept a transaction that comes over a forbidden channel. Request that the customer transact via the online system, and delete the email immediately.
A secondary thought is that a customer who does not transact via the customary channels (in your case, the online store) is immediately suspect.
~Wendy
A secondary thought is that a customer who does not transact via the customary channels (in your case, the online store) is immediately suspect.
~Wendy
Edited by WoodsWalker, 07 November 2008, 20:54.
#3
Posted 07 November 2008, 21:07
Well I wouldn't know the wording unfortunately, but supposedly I was told there was a loophole where if we deleted the email, pretended it never happened, and then asked for the customer's credit card over the phone we'd be cleared of liability. Supposedly this person was talking to some representative of some card company but I was never given specifics.
I personally believe the practice is extremely dangerous, but I need to have indisputable facts to win the argument. Otherwise I'll lose out to the argument of "every potential sale we lose is bad no matter what" coupled with "small businesses can't afford to be discriminating like big businesses can."
I personally believe the practice is extremely dangerous, but I need to have indisputable facts to win the argument. Otherwise I'll lose out to the argument of "every potential sale we lose is bad no matter what" coupled with "small businesses can't afford to be discriminating like big businesses can."
Edited by Fallout2man, 07 November 2008, 21:13.
#4
Posted 07 November 2008, 23:21
I'm with you! The "loophole" you mentioned, deleting the email and taking the card# over the phone, occurred to me, too, but I dismissed it.
No business, big or small, can afford the risk of having their banking services cancelled, or of increasing the odds of fraudulent transactions.
~Wendy
No business, big or small, can afford the risk of having their banking services cancelled, or of increasing the odds of fraudulent transactions.
~Wendy
