16 replies to this topic

[MonkMan]

I know we've talked about this before, but this one is a bit different and interesting.

I have a client who wants to save the clients credit card number for offline processing (i know i know, we've heard this before), but this business is legit and want to do everything right.  the reason for offline processing is, they are using Quickbooks (Canadian version) and have no way of updating online inventory.  They currently have 4000+ items and it is almost impossible to manually update the inventory.  

Here is the Dilemma:

If they do not do inventory tracking and customer adds item to cart, processing company processes the order they will have to do a refund for out of stock items.
When processing company processes the charges, they charge 3% right away and will not refund the 3% when they do a refund.


So...they were thinking, maybe just save the credit card  number, download the orders and then charge for whatever in stock.  Any ideas?

[DunWeb]

There is no PCI DSS compliant way of processing the credit card information collected from an online source for manual application ESPECIALLY if the client is in Ontario.



Chris

[cannuck1964]

Quote

There is no PCI DSS compliant way of processing the credit card information collected from an online source for manual application ESPECIALLY if the client is in Ontario.

Not true.

The PCI standards only increase when you save credit card data.  What can not be saved (and may create issues is the CVV code).

To save the CC number, card holder name etc can be done in a safe manor, but this means a higher standard for the web site to adhere to, for example, the CC info must be encrypted, can not use a shared server, must limit who has access to the data etc.

The compliance survey will give better indication on what the standards needed are.

When saved, you would generally send an authorize request to the CC processor, and then at a later date capture the payment (maybe having to make total adjustments ).

cheers

Edited by cannuck1964, 30 September 2011 - 04:57 PM.

[DunWeb]

cannuck1964, on 30 September 2011 - 04:56 PM, said:

Not true.

The PCI standards only increase when you save credit card data.  What can not be saved (and may create issues is the CVV code).

To save the CC number, card holder name etc can be done in a safe manor, but this means a higher standard for the web site to adhere to, for example, the CC info must be encrypted, can not use a shared server, must limit who has access to the data etc.

The compliance survey will give better indication on what the standards needed are.

When saved, you would generally send an authorize request to the CC processor, and then at a later date capture the payment (maybe having to make total adjustments ).

cheers

ok,  let me rephrase my statement.

There is NO ECONOMICAL way to accept credit card information electronically for manual processing use.  Contact your merchant service provider and they will tell you what you really need to know.  I have spent hours and hours and hours working with a PCI DSS compliance firm in Ontario and in the end, the client decided not to pursue the matter because of the extreme costs involved.  (estimated 7500 -10000 dollars)




Chris

Edited by DunWeb, 30 September 2011 - 08:14 PM.

[MonkMan]

cannuck1964, on 30 September 2011 - 04:56 PM, said:

Not true.

The PCI standards only increase when you save credit card data.  What can not be saved (and may create issues is the CVV code).

To save the CC number, card holder name etc can be done in a safe manor, but this means a higher standard for the web site to adhere to, for example, the CC info must be encrypted, can not use a shared server, must limit who has access to the data etc.

The compliance survey will give better indication on what the standards needed are.

When saved, you would generally send an authorize request to the CC processor, and then at a later date capture the payment (maybe having to make total adjustments ).

cheers

I'm not sure if the thread is going off topic, but what are you suggesting?  I realized the PCI standards, so if i get a private hosting, i can save the data?

[DunWeb]

If you knowingly set up a credit card processing system for your client without PCI DSS compliance, YOU can be criminally charge and held liable for any damages your client and/ or their customers incur



Chris.

[toyicebear]

A private hosting/dedicated server is not enough in itself, there are a lot of other additional security hops to jump through. There are no short-cuts or "cheap" ways....it will cost a bundle.

If you are "hellbent" on saving the data for manual processing, then you can use a company like E-Path. www.e-path.com.au

[MrPhil]

Let's back up a bit and try to solve the client's original problem. We agree that they would be stupid to even try to save credit card info for later charging, after they've verified inventory. Besides, how many customers are going to happy about their taking credit card numbers but not immediately confirming the purchase?

So the base problem is that while they want to sell online, they don't want to maintain inventory online? Are they also selling at a bricks-and-mortar store, and feel they can't coordinate the inventory changes? If a customer puts the last widget into their physical shopping cart, the store can't afford to accidentally sell that item online? OK, how about marking the online inventory as actual inventory minus some fixed offset, to allow the in-store stock to be drawn down without risk of going below 0? If you have N widgets in inventory, and M are on display for customers, the online store says there are N-M in inventory. Ergo, no risk of overselling. When taking inventory out of the stock room to put on the shelves, mark down the online inventory before bringing it out. Another way of dealing with this would be to not accept orders online, but only use it as a catalog, and take orders via phone. Or, customers can request a product using a cart, but payment is made over the phone and the transaction completed when inventory is confirmed, and reserved for this customer.

There must be some way to get around whatever problem the customer thinks they have.

[magdalena]

We have the same problem. Here is some input to your questions.

So the base problem is that while they want to sell online, they don't want to maintain inventory online?

Yes.  Not a precise inventory.

Are they also selling at a bricks-and-mortar store, and feel they can't coordinate the inventory changes?

Yes.  The have a huge warehouse full of parts, carcasses and skins that make up a unit when refurbished.  They don't keep strict track of that inventory.

If a customer puts the last widget into their physical shopping cart, the store can't afford to accidentally sell that item online?

Yes

OK, how about marking the online inventory as actual inventory minus some fixed offset, to allow the in-store stock to be drawn down without risk of going below 0? If you have N widgets in inventory, and M are on display for customers, the online store says there are N-M in inventory. Ergo, no risk of overselling.

That's fine unless you have one which can happen pretty frequently.  It's a specialty business with hard to find items.  It may be a 1200.00 item that doesn't get sold because of this issue.

When taking inventory out of the stock room to put on the shelves, mark down the online inventory before bringing it out.

They will never do this.  There is no stock room as you are picturing it.

Another way of dealing with this would be to not accept orders online, but only use it as a catalog, and take orders via phone. Or, customers can request a product using a cart, but payment is made over the phone and the transaction completed when inventory is confirmed, and reserved for this customer.

Besides, how many customers are going to happy about their taking credit card numbers but not immediately confirming the purchase?

Nobody/customer ever complained or questioned it.  The business was previously on MIVA (Hostway) and the functionality is there.


They need to check what parts are available.  If they sell a printer they may have the guts, but only a grey skin (as opposed to beige one), so the customer needs to be contacted.  That is just one example.  Also, the DIMS are different depending on how they pack it, which carrier, and where it is going.

They set up to do catalog/phone orders and their sales dropped and the other customers complained.

They want to have access to the number.

If I am hijacking the thread, I apologize and will stay out of it.

I just saying.....[img]http://forums.oscommerce.com//public/style_emoticons/default/ph34r.png[/img]

[DunWeb]

Lillian,

Laws have changed.  PCI DSS compliance is quickly become REQUIRED as part of opening a business account with your bank or merchant processor.  With tougher fines and strict scrutiny by government agencies it would be fairly easy to foresee EVERY business that touches a credit card will require PCI DSS compliance.  So, either store owners use a qualified online payment processor  OR they pay to become PCI DSS compliance.

I have helped two clients become complaint over the past 1.5 years and it is very expensive and time consuming.  So, unless the business in question can justify the costs and yearly audits then that business should use an online processor and figure out another way to track inventory.

*** Hiring a full time inventory clerk is cheaper than becoming PCI DSS Compliant. ........lol

Chris

[MrPhil]

magdalena, on 05 October 2011 - 11:29 PM, said:

That's fine unless you have one which can happen pretty frequently.  It's a specialty business with hard to find items.  It may be a 1200.00 item that doesn't get sold because of this issue.

OK, I have an idea of what you/your client's situation is. Although that talk about having "parts, carcasses and skins" kind of threw me for a moment (I was eating dinner).

So this place is run on the junkyard model, and there's no inventory tracking, and sometimes there's quantity 1 of some product, that could be sold either online or in person. It sounds to me like you cannot sell online in such a business setup. As I said before,

Quote

Another way of dealing with this would be to not accept orders online, but only use it as a catalog, and take orders via phone. Or, customers can request a product using a cart, but payment is made over the phone and the transaction completed when inventory is confirmed, and reserved for this customer.

If there's no inventory system, I take it that product listings are for the most part just general categories, rather than specific products? Only high-ticket or high-volume items would get an actual "this is what you get" listing? Since you can't actually consummate the sale online, all in one session (unless you can grab the inventory while the customer waits), I think the best you can do is have an online customer select item(s) in their cart and ask for confirmation. You gather the inventory, put their name on it, and then try to consummate the sale within an agreed-upon time period (or the stuff goes back out in the warehouse). You confirm the product is available and reserved for them, and perhaps bill online. The idea is that "online" is just used as an order-gathering system, and inventory confirmation and payment is handled separately.

[multimixer]

MrPhil, on 04 October 2011 - 02:17 AM, said:

Let's back up a bit and try to solve the client's original problem. We agree that they would be stupid to even try to save credit card info for later charging, after they've verified inventory. Besides, how many customers are going to happy about their taking credit card numbers but not immediately confirming the purchase?

DunWeb, on 05 October 2011 - 11:38 PM, said:

*** Hiring a full time inventory clerk is cheaper than becoming PCI DSS Compliant. ........lol

I can only agree with both

What I would do is following

- Separate a physical store and a physical warehouse
- Count the inventory of the warehouse once (that's a good idea anyway) and add all quantities to the online store
- Register the physical store as a customer of the online store
- Each time somebody moves something from the warehouse to the physical store there must be an "order" at the online store

[magdalena]

DunWeb, on 05 October 2011 - 11:38 PM, said:

Lillian,

*** Hiring a full time inventory clerk is cheaper than becoming PCI DSS Compliant. ........lol

Chris

Sorry for the late responses, been consumed with school.

I hear you about compliance.

You're right about the clerk!  Unfortunately, that would be me!  [img]http://forums.oscommerce.com//public/style_emoticons/default/sick.gif[/img] Thanks.  [img]http://forums.oscommerce.com//public/style_emoticons/default/devil.gif[/img]

[magdalena]

Phil and George,
These are good ideas and I will pass them along.

Right now the site is still set to "phone orders" if you will.

Thanks!  [img]http://forums.oscommerce.com//public/style_emoticons/default/ph34r.png[/img]

[cannuck1964]

Quote

ok, let me rephrase my statement.

There is NO ECONOMICAL way to accept credit card information electronically for manual processing use. Contact your merchant service provider and they will tell you what you really need to know. I have spent hours and hours and hours working with a PCI DSS compliance firm in Ontario and in the end, the client decided not to pursue the matter because of the extreme costs involved. (estimated 7500 -10000 dollars)

Depends on what you consider economical, will there be costs, of course there are.  Try and set up a business without costs.
I too have spent hundreds of hours bringing clients into PCI conformity, there are many different aspects to it and each has it's own requirements.  The PCI survey will generally tell you what you need to do.

Quote

*** Hiring a full time inventory clerk is cheaper than becoming PCI DSS Compliant. ........lol

Well lets see, clerk at min wage of say $10/hr x 40 hrs = $400 x 52 = 20, 800

PCI all costs incurred say $10 K.

Quote

A private hosting/dedicated server is not enough in itself, there are a lot of other additional security hops to jump through. There are no short-cuts or "cheap" ways....it will cost a bundle.

True, but then there should not be for firms wanting to store this information.  If they can not afford to do so, then they should look at alternatives.

I am pretty sure there are methods to extract and use quickbooks as the inventory management (export / import features).  In terms of the online sales having issues with the inventory, generally inventory and sales can be tracked and averaged.

So that if on average the in store sells X items per day, and inventory takes X days to replenish, then you know how many you can safely sell on line.  So when inventory drops to a specific level, then it is either taken off of on line sales, or is listed with a disclaimer of late shipping.

In 99% of the transactions this will work just fine, and if you have a margin of error built in, then you will not have any major issues.

A CRON running daily (or more often) would ensure that inventory levels are always in sync.

cheers

[p2409]

I think your client has hit the wall.. I'd advise them the gig's up unless they either 1) invest the money in PCI, 2) build the inventory interface to quickbooks, or c) accept the 3% charge when there's no stock. Either way, there's a significant investment. But if they're providing a good service, and are trusted by customers it will be worth it (except for the bit where they tell the customer they'll have to refund the cash because there's no stock: seems pretty crappy).

I think they need to understand the 3% charge is their problem, not the customers and look at it as a cost of doing business their way ie.  don't know inventory status, yet willing to take money at sale time.

Edited by p2409, 13 October 2011 - 01:56 PM.

[porpoise1954]

MrPhil, on 04 October 2011 - 02:17 AM, said:

Let's back up a bit and try to solve the client's original problem. We agree that they would be stupid to even try to save credit card info for later charging, after they've verified inventory. Besides, how many customers are going to happy about their taking credit card numbers but not immediately confirming the purchase?

So the base problem is that while they want to sell online, they don't want to maintain inventory online? Are they also selling at a bricks-and-mortar store, and feel they can't coordinate the inventory changes? If a customer puts the last widget into their physical shopping cart, the store can't afford to accidentally sell that item online? OK, how about marking the online inventory as actual inventory minus some fixed offset, to allow the in-store stock to be drawn down without risk of going below 0? If you have N widgets in inventory, and M are on display for customers, the online store says there are N-M in inventory. Ergo, no risk of overselling. When taking inventory out of the stock room to put on the shelves, mark down the online inventory before bringing it out. Another way of dealing with this would be to not accept orders online, but only use it as a catalog, and take orders via phone. Or, customers can request a product using a cart, but payment is made over the phone and the transaction completed when inventory is confirmed, and reserved for this customer.

There must be some way to get around whatever problem the customer thinks they have.

There is. We use the shopping cart for in-store sales too, which then automatically updates the online stock inventory. If the OP (OP's client) is using an ePOS system, there should be a way of integrating it into the osC system.