Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Collect Credit Cards for Offline Processing (Australia)


bowie78

Recommended Posts

Hi,

I am very sorry if this is the wrong section but I need urgent help please.

We need to get rid of accepting credit cards through eway - costing me way too much and have lost out with a couple of transactions that turned out to be fraud. Now the bank says I need to be PCI compliant because our two oscommerce carts are accepting the credit card details and automatically transmitting them to eway for processing.

We want to start accepting credit cards so we can charge them through our merchant account virtual terminal (Commonwealth Bank Evolve Single) but the way to do this in oscommerce is "Not for production use" which I can now understand why (I have read up on PCI heaps).

Can someone please tell me how can we do this? Is there any mod or system that collects credit card details legally under PCI so we can then charge them offline?

Thank you to anyone who can help.

Link to comment
Share on other sites

If your site processes or stores CC info you'd MUST be PCI Compliant ( <= it's a link, click it to read more).

 

No way around that.

 

And if you read your merchant account agreement closely you'll most likely find that harvesting CC info online for later manual procvessing is probably against the terms of the agreement.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

And if you read your merchant account agreement closely you'll most likely find that harvesting CC info online for later manual procvessing is probably against the terms of the agreement.

But contacting your merchant provider and having the proper amendments to your agreement is the way to proceed.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

Thanks germ,

Yeh, but it goes further, even if our carts automatically transmit credit card details to our gateway we MUST be PCI compliant.

Our merchant account virtual terminal is specially approved to allow me to charge card not present payments made to us so we are good to go but we need some legal way to accept the credit cards details online first that is PCI compliant. It doesn't look good.

Link to comment
Share on other sites

The PCI requirement still remains if CC info is entered on the site.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hello bowie78,

 

Yes you can do this. :D

 

Take a look at e-Path (http://e-path.com.au)

 

I use e-Path and I'm accepting credit cards online in compliance to PCI. BUT you will need to make sure you handle credit card details according to the PCI security rules of your merchant account provider - because they are the ones providing you the card not present processing system. For me this means destroying the credit card details once I have charged them which is the PCI required way when all card not present payments are received - by phone, fax and e-Path. Pretty cheap and easy really and the system works superb for me.

 

Hope this is a help to you.

 

Cheers

 

HP

Link to comment
Share on other sites

Hello bowie78,

 

Yes you can do this. :D

 

Take a look at e-Path (http://e-path.com.au)

 

I use e-Path and I'm accepting credit cards online in compliance to PCI. BUT you will need to make sure you handle credit card details according to the PCI security rules of your merchant account provider - because they are the ones providing you the card not present processing system. For me this means destroying the credit card details once I have charged them which is the PCI required way when all card not present payments are received - by phone, fax and e-Path. Pretty cheap and easy really and the system works superb for me.

 

Hope this is a help to you.

 

Cheers

 

HP

 

That one looks excellent, thanks HP.

I have a couple of questions for you HP if that is OK. How do you get the credit card details to enter in to your merchant account? and is there anything special I need to do to get my carts to work with e-Path (a module may be?)

Thanks HP for any further info you can give me.

Link to comment
Share on other sites

I have a couple of questions for you HP if that is OK. How do you get the credit card details to enter in to your merchant account?

I print it out directly from my e-Path admin. Then it is the same as when I receive a faxed order with credit card details or if I jotted down the credit card details when receiving phone orders/payments - offically called "card-not-present" by my bank. When I close the admin all the credit caard details are deleted from e-Path. You just need to make sure you shred or rip up the credit card details after you have charged them which I think is now a standard requirement when handling any type of card not present credit card payments. I filled out a PCI Self Assessment Questionaire and lodged it with my bank. I think everyone handling crdit cards cards in "card not present" situation has to do this now, its a PCI thing.

 

and is there anything special I need to do to get my carts to work with e-Path (a module may be?)

Yes there is. e-Path created my payment modules for my oscommerce carts for me to install but they also offered me free pro integration which is what I got so this was done for me, nice B)

 

I hate the high cost of real time credit card payment processors and I have no control over what payments are processed, all this was unacceptable to me. The manual system where I can charge offline works really well for me cause its super cheap, a lot more secure and I'm totally PCI compliant. Pretty cool :D

 

BUT - I would seriously warn you against handling credt card details manually without filling out a PCI Self Assessment Questionaire and lodging it with your merchant account provider. Its great having e-Path do things online in compliance to PCI and its great accepting credit cards over the phone and by fax but unless you handle things securely in compliance to PCI when you get the credit card details then you are taking way too much of a risk.

 

Hope this helps you.

 

HP

Link to comment
Share on other sites

Thanks HP,

We already done a SAQ because we receive a lot of credit cards payments over the phone and some orders get faxed to us too. Our routine is to do just like you do, we rip up the credit card details after charging the card. This is how our bank wants us to do it to be PCI compliant. No big deal, easy to rip it up in a million pieces.

I will get e-Path now, cancel eway, cancel my internet merchant account and just charge credit cards manually into my other Evolve merchant account. This is going to save me huge money saved and I get to be PCI compliant online as well as in my office. This is awesome.

Hey, how valuable are these forums for ya, I was nearly not going to bother asking the question. Thanx again heaps HP.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...