Jump to content

HappyPappy

Members
  • Content count

    46
  • Joined

  • Last visited

Profile Information

  • Real Name
    Peter

Recent Profile Visitors

8,241 profile views
  1. Hi Mr Phil, I am no authority on it, but I have used it for five years now and I've set up many of my own clients with e-Path. I think it is a brillant system. Anyway, I'll have a stab at answering you. Think of you using a fax machine to receive orders with credit card details on the order form. Same thing with e-Path except e-Path is on the net connecterd to your oscommerce cart and a fax machine is not PCI compliant but e-Path is. Every gateway merchant gets their own gateway system located on e-Path's PCI compliant server (hense no need for PCI compliance on my website). My customers give a payment authorisation on my gateway page. e-Path don't capture the CVV by default but if your merchant facility provider requires the CVV to be entered and approves a MOTO merchant having the CVV in their posession momentarily so they can enter it when they enter the card details to charge the card, then e-Path will capture the CVV. But you must provide written proof directly from your bank that they have approved this for e-Path to do it. PCI regulations on CVV are very tough, the CVV must not exist in any way after payment authorisation has been processed on a card. You can't store it, keep it, record it or do anything with CVV once the payment authorisation has been completed. But pre authorisation it is OK to store it (but must be very secure of course). All real time online credit card payment processing gateways offering a "pre-authorisation" option will store the CVV until the merchant decides to go ahead with the transaction. PCI allowes them do this because it is before the card is charged. I have a MOTO system (virtual terminal) from my bank that does not require the CVV. Most of my own clients have the same with the exception of two who have MOTO approved EFTPOS terminals and three have the new MOTO approved Smatphone merchant facility app. If your merchant facility is approved for card-not-present transactions (MOTO) then it will (should) process the charge without needing the CVV. CVV does NOT guarantee anything. If a crim gets a credit card they can simply flip it over and quote the CVV anyway. Useless security measure in my opinion. No. Credit card details are not sent or emailed to me. This would be an insane risk. Once someone has paid I get an email alerting me. I log in to my e-Path admin area and print out the cc details. Their admin areas only works with SSL. Try to go to it via http and you get nothing. When I close my admin area all the cc details are errased from the e-Path sever. They don't permanently store any of that data. So, I end up with a hard copy of the customers credit card details in exactly the same way as I would if I received a faxed order wth cc details, or if I wrote down the cc details from a phone order, received a postal mail order with cc details or if someone handed me their card. When my bank suipplied me with my MOTO virtual terminal merchant facility they gave me a booklet on what I had to do to ensure cc details are safe and secure when in my posession in accordance with PCI regulations, which includes shredding them once I have charged the card. It is all about being PCI compliant offline too. Yes, PCI sure does apply both online and offline. You can't escape it but in all honesty it is not hard to be compliant. My e-Path gateway is already compliant (so I don't have any worry there) and I'm doing exactly what my bank has told me to be compliant when receving MOTO payments. The risk is actually far reduced because I have prevented the credit card details from being anonymously processed online without me knowing. I have removed the credit card details from the internet as well and they don't even exist after I have processed the charge. Prior to using e-Path I was falling victim to fraud about three to five times per month and I really HATED it that everything was being done on the internet and costing me a fortune. Since switching to e-Path I can see the fraud attempts clearly and I simply delete them. I have been fraud free for five years. I can not tell you how darn good that is. I have had my merchant facility rates reduced twice now. I started on about 2% (I think from memory) but I'm down now to 1.1%. This is because I am NOT exposed to any risks of credit cards being transacted online. I am in control of what I charge and I have not recorded a single fraud on my account for five years. It costs me $275.00 per year for e-Path. But then I can accept any number of credit card payment authorisations free. I can accept 50 in a year or 5,000 in a year and there is no cost to any of them. There are no transaction fees or charges because e-Path is not processing anything. I guess one way to look at it is if you buy a fax machine, there is a cost, but then you can receive any number of orders with credit card payments through your fax machine totally free. You pay for your phone but when someone pays you by credit card over the phone there is no cost to that. You then charge the credit cards in to your merchant facility, either your ETPOS terminal or virtual terminal which I am paying for anyway. I don't want to sound like I'm promoting them, but the truth is it is very secure and low cost way to do things as long as you don't mind manually entering cards to charge them. I still do very roughly about 20 to 30 transactions per week, not a lot so it doesn't worry me but I would not recommend e-Path if you are doing big numbers of transactions. It would just be too much. I have found they have a demo oscommerce cart you can have a play with to see how it works: http://thefruitboxshop.com then go to the demo carts page. On the negative side they are very tough on applications. You have to prove you have a merchant facility approved by the merchant facility provider for MOTO (card not present) transactions and you have to commit to shred all details once you charge the card. I guess this is not too bad considering my bank tells me exactly the same thing. I don't know if this has answered your questions, but that's how it works for me anyway. Cheers
  2. Hi Chris, No, that's not right. One of the advantages of e-Path is your site doesn't need to be PCI DSS compliant because it does not transmit, store or process credit card data. Your site doesn't even touch credit card data. No need for PCI DSS compliant on your website. So that's a hassle you don't have to worry about. But yeh, you will be handling credit card data so you need to handle it in a PCI compliant manner, exactly the same as you do when receving credit card details from a faxed order with payment, somone quoting you their credit card details over the phone on a phone order or via mail postal order or even if someone was to hand you their credit card in a face to face sale. Thanks
  3. Hi all, For those who are using e-Path (http://e-path.com.au) to accept credit cards online and process offline, there is a new oscommerce payment module avalable now. The new module includes a curreny code parameter (called "cur") which allows you to enter the country code of the currency your merchant facility will be charging credit cards in. It is being distributed free by e-Path so contact them with your gateway ID and they will send it to you. Install is pretty easy. You uninstall the old one through your Admin then upload the two new modules (they overwrite the old ones) then install via Admin. Happy sales everyone.
  4. HappyPappy

    Offiline card processing - Encrypted Credit Card with CVV2

    Yes, you can take credit card details and process them offline from your oscommerce shop. Check out e-Path (http://e-path.com.au). They are a global manual gateway. There's a bit of a micro trend going on with a lot of small businesses going offline to process charges mainly because of security, but its also heaps cheaper. I believe you can only do this when you use a proper PCI compliant manual payment gateway though. Fraud is getting pretty insane now and real time online payment processors will promote all the great security they offer but in truth it is worth zip. If it fails and you fall victim to fraud watch them tell you they ain't going to compensate you and that's it your "bad luck". What rubbish is this. Pay Pal is pretty good cause they have some protection systems that wil compensate you, but they are expensive. Getting credit cards off the internet and charging offline I reckon is a good thing. You are in control. You get to decide what gets charged in to your merchant account becuase it is you who is doing it, not some anonymous scum the other side of the world while you are asleep. The other thing is people are starting to want their credit cards and ID details stopped from being permanently stored online now. Way too many details are being stolen from the internet now and people have a right to say NO. Manually charging offline gets all these credit cards off the internet. But there's good and bad with everything. I've just covered the positives but yeh you can for sure take credit cards online and transact them offline, really neat if you already have a terminal. Good luck
  5. HappyPappy

    Credit Card Payment

    You can't do this anymore without being fully PCI compliant certified. Your cart will need to be on a dedicated server which has its own dedicated hardware firewall if you are wanting to temporarily or permanently store cc data. This is why OSC gives the warning "Not for commercial use" etc on their manual module. There are a host of other requirements such as network security, security policies management etc but I won't get into any of that now. I know it all sounds painfully over the top and pretty ridiculous but I'm only telling you how it is. At the end of the day it's your choice. But all it takes is one card holder questioning things with the appropriate authority and you could be in serious hot water if you are using the manual module and are not fully PCI compliant certified to do so. You really can't mess with cc data any longer. Things have changed and while I personally don't think they have changed for the better the fact is that's the way it is now. If you are a developer who creates an OSC site for your website customer that uses the manual module and you've blatantly ignored the need for PCI compliance certification then in my opinion you deserve to be hit bloody hard. That would be pure negligence on your part. As well as possibly having to face a fine and/or a penality or having your ability to process Visa and Mstercard transactions withdrawn your own site customer could sue the hell out of you. I'd advise you (and everyone else) to play safe and simply use a proper PCI compliant manual payment gateway. Easy, safe and cheap, you don't have a worry in the world and you can charge cards offline manually like what you are wanting to do. Or use Pay Pal or use a real time payment processing gateway. It is just not worth the risk anymore. That's my 2c worth anyway.
  6. HappyPappy

    Credit Card with CVV2 Version v2.2RC2a

    Absolutely correct Nick. If people have a merchabnt account they use to charge credit cards received by card not present means, i.e., from a proper PCI compliant manual payment gateway, a fax machine, physical mail order or over the telephone where they charge the card after they have had time to verify things themselves, then they only need to ensure their merchant account is enabled for this. Like I said before, some term this is MOTO (mail order telephone order) enabling your merchant account. Once this is done the merchant account (terminal or online virtual terminal) will not (it's not allowed to) require the CVV to be entered to charge the card, although it may still ask for it for those times as Nick has mentioned above. You will then not have to worry about anything to do with CVV because it is not part of the official scheme when you manually (MOTO) process credit cards. And you will be be complying with PCI (assuming your oscommerce site doesn't touch or see the cc data and you destroy the card data once you charge the card of course). Here's to staying safe everyone ... :thumbsup: Cheers
  7. HappyPappy

    Credit Card with CVV2 Version v2.2RC2a

    The official line from PCI is you do not need to do anything to protect the CVV in a temporary or permanent stored situation. In fact, in PCI DSS v 2.0 they mention protection for PIN and CVV as "N/A". And why is this so you may ask ... Because you will NEVER have the CVV or PIN in the fist place, therefore, protecting something you don't have in your possession is "N/A". The CVV must NEVER NEVER NEVER be stored either temporarily of permanently, either encrypted or not, either broken up (truncated) or complete. In short, you can NOT capture the CVV in any way, shape or form under any circumstances. Period. People are getting mixed up with the "live" online processing of credit cards i.e., the direct live communication between gateway and the merchant account for processing of credit cards instantly on the internet - this DOES REQUIRE the CVV to be entered. But we are not talking about live online credit card processing. We are talking about capturing credit card details to enable the business owner to then charge the card via another means, perhaps offline or into their existing merchant account facility or into a terminal. It is important to understand the difference in order for you to follow what I am saying here. And there is a HUGE difference, one system transacts live online totally without you knowing, the other you control the charging and its cheaper. If you have a merchant account that "requires" the CVV to be entered and won't let you charge the card without it, then it is not a merchant account approved to charge card not present credit card payments received. You not only risk the wrath of acting illegally under PCI but if your merchant account provider finds out then I would not like to be you. Now, if your merchant account is approved to allow you to charge through it credit card payments received by card not present means - some term this as a MOTO enabled your merchant account - (mail order telephone order), then it can not possibly require the CVV to be entered. It may still ask for it but leave it blank and it will process the charge without it. But lets say you have a MOTO enabled merchant account or a terminal, one that allows you to charge card not present payments received, and it still requires you to enter in the CVV, it won't let you charge the card without the CVV. Well, dump that merchant account provider because they are about to be taken out of business by the card vendors themselves. Let me explain. For starters that would mean they are forcing you to act illegally under PCI. In otherwords, they are forcing you to somehow capture the CVV for you to have it in your possession in some way to have it to enter into your merchant account to charge the card. But this is 100% ILLEGAL under PCI - if you do that you are setting yourself up for fines and you could lose your right to processes Visa, Master Card and American Express Cards for good. If this is you then I suggest ringing your merchant account provider up and ask them directly .. "How do you suggest I capture and temporarily store the CVV so I will have it to enter into your merchant account facility when I charge the card?" They will not be able to answer that because what their advice would be would have to be to you would be for you to act illegally. And if they did this and Visa or any of the other card vendors found out about it, they would be finished, big time. If you are a developer and are setting something up for your client to manually capture the CVV, if and when they get caught they could simply put their hands in the air and say "its not our fault, our developer did this" so make sure you've got a huge amount of money in the bank to pay the fine!!! My three osc's do things manually, I like being in total control of what I accept online and I process offline into my MOTO approved terminal. I use a proper manual payment gateway to handle credit cards online. I'm not going to mention them because I don't want to be seen as promoting them as I've mentioned them in almost all of my posts so far (I don't want to get into trouble with moderators). My advice is simple, just make sure do things the rght way and make sure your merchant account provider is also doing things the right way. It's not that hard. Cheers
  8. HappyPappy

    Offline Payments?

    Ok, understand. Here is my reply .... http://forums.oscommerce.com/topic/374988-credit-card-module/page__view__findpost__p__1596452 Cheers
  9. HappyPappy

    CVV?

    Point taken Chris, thank you. Here is my reply ... http://forums.oscommerce.com/topic/374988-credit-card-module/page__view__findpost__p__1596452 Cheers
  10. HappyPappy

    Credit Card Module

    Chris, you may not have the right take on e-Path. e-Path does not process credit card payments. It is not a credit card processor. Think receving credit card detaila by fax machine or over the phone. e-Path actually provides the PCI compliant environment to accept cc data online for the business owner to then charge the card details into their merchant account offline - just like they would if receiving data via a fax machine or over the telephone and millions pay by credit card over the phone and to a lesser extent by fax machine every day all over the world. When using e-Path your oscommerce site doesn't touch credit card data therefore there is no PCI compliance to even worry about for your oscommerce site. You still need to handle cc data in accordance with PCI just as you would when receving cc data over the phone, by fax or via postal mail (physical mail). And companies/persons that handle credit card data (stores, processes or transmits) must comply with PCI. PCI is not different from one country to the next, it is a global uniform standard. For example, PCI DSS (Payment Card Industry Data Security Standard) firmly stipulates the CVV must never be stored in any shape or form under any circumstances - this is a global regulation. Cheers
  11. HappyPappy

    Credit Card Payment

    No Chris, I believe you can be in any country and still use it. I found the following in their "About e-Path" page ... Cheers
  12. HappyPappy

    Offline Payments?

    Hi Chris, The credit card accepting convention is pretty well uniform around the world but different countires may enfore rules differently or view different aspects more seriously than others. If a business accepts a credit card payment over the phone, by fax or by mail order (physical mail) they are most certainly NOT breaking the law. But their merchant account service must be approved for them to accept and charge card not present payments received - I believe this is applicable in any country. Cheers
  13. HappyPappy

    Credit Card Module

    Hi again Chris, no, its for anyone anywhere. I found the following, quoted from: http://e-path.com.au/about_e-path.html .... Cheers
  14. HappyPappy

    CVV?

    No, anybody can use e-Path. I found the following, quoted from: http://e-path.com.au/about_e-path.html .... Cheers
  15. HappyPappy

    Offline Payments?

    Hi Chris, You've hit the nail on the head regards PCI, however .... ... is not entirely correct. Check out http://e-path.com.au - new breed of PCI compliant manual payment gateway enables site owners to receive credit card payment charge authorisations online for them to process offline - just like phone, fax and via physical mail order. Cheers
×