Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HappyPappy

Pioneers
  • Posts

    46
  • Joined

  • Last visited

Everything posted by HappyPappy

  1. Hi Mr Phil, I am no authority on it, but I have used it for five years now and I've set up many of my own clients with e-Path. I think it is a brillant system. Anyway, I'll have a stab at answering you. Think of you using a fax machine to receive orders with credit card details on the order form. Same thing with e-Path except e-Path is on the net connecterd to your oscommerce cart and a fax machine is not PCI compliant but e-Path is. Every gateway merchant gets their own gateway system located on e-Path's PCI compliant server (hense no need for PCI compliance on my website). My customers give a payment authorisation on my gateway page. e-Path don't capture the CVV by default but if your merchant facility provider requires the CVV to be entered and approves a MOTO merchant having the CVV in their posession momentarily so they can enter it when they enter the card details to charge the card, then e-Path will capture the CVV. But you must provide written proof directly from your bank that they have approved this for e-Path to do it. PCI regulations on CVV are very tough, the CVV must not exist in any way after payment authorisation has been processed on a card. You can't store it, keep it, record it or do anything with CVV once the payment authorisation has been completed. But pre authorisation it is OK to store it (but must be very secure of course). All real time online credit card payment processing gateways offering a "pre-authorisation" option will store the CVV until the merchant decides to go ahead with the transaction. PCI allowes them do this because it is before the card is charged. I have a MOTO system (virtual terminal) from my bank that does not require the CVV. Most of my own clients have the same with the exception of two who have MOTO approved EFTPOS terminals and three have the new MOTO approved Smatphone merchant facility app. If your merchant facility is approved for card-not-present transactions (MOTO) then it will (should) process the charge without needing the CVV. CVV does NOT guarantee anything. If a crim gets a credit card they can simply flip it over and quote the CVV anyway. Useless security measure in my opinion. No. Credit card details are not sent or emailed to me. This would be an insane risk. Once someone has paid I get an email alerting me. I log in to my e-Path admin area and print out the cc details. Their admin areas only works with SSL. Try to go to it via http and you get nothing. When I close my admin area all the cc details are errased from the e-Path sever. They don't permanently store any of that data. So, I end up with a hard copy of the customers credit card details in exactly the same way as I would if I received a faxed order wth cc details, or if I wrote down the cc details from a phone order, received a postal mail order with cc details or if someone handed me their card. When my bank suipplied me with my MOTO virtual terminal merchant facility they gave me a booklet on what I had to do to ensure cc details are safe and secure when in my posession in accordance with PCI regulations, which includes shredding them once I have charged the card. It is all about being PCI compliant offline too. Yes, PCI sure does apply both online and offline. You can't escape it but in all honesty it is not hard to be compliant. My e-Path gateway is already compliant (so I don't have any worry there) and I'm doing exactly what my bank has told me to be compliant when receving MOTO payments. The risk is actually far reduced because I have prevented the credit card details from being anonymously processed online without me knowing. I have removed the credit card details from the internet as well and they don't even exist after I have processed the charge. Prior to using e-Path I was falling victim to fraud about three to five times per month and I really HATED it that everything was being done on the internet and costing me a fortune. Since switching to e-Path I can see the fraud attempts clearly and I simply delete them. I have been fraud free for five years. I can not tell you how darn good that is. I have had my merchant facility rates reduced twice now. I started on about 2% (I think from memory) but I'm down now to 1.1%. This is because I am NOT exposed to any risks of credit cards being transacted online. I am in control of what I charge and I have not recorded a single fraud on my account for five years. It costs me $275.00 per year for e-Path. But then I can accept any number of credit card payment authorisations free. I can accept 50 in a year or 5,000 in a year and there is no cost to any of them. There are no transaction fees or charges because e-Path is not processing anything. I guess one way to look at it is if you buy a fax machine, there is a cost, but then you can receive any number of orders with credit card payments through your fax machine totally free. You pay for your phone but when someone pays you by credit card over the phone there is no cost to that. You then charge the credit cards in to your merchant facility, either your ETPOS terminal or virtual terminal which I am paying for anyway. I don't want to sound like I'm promoting them, but the truth is it is very secure and low cost way to do things as long as you don't mind manually entering cards to charge them. I still do very roughly about 20 to 30 transactions per week, not a lot so it doesn't worry me but I would not recommend e-Path if you are doing big numbers of transactions. It would just be too much. I have found they have a demo oscommerce cart you can have a play with to see how it works: http://thefruitboxshop.com then go to the demo carts page. On the negative side they are very tough on applications. You have to prove you have a merchant facility approved by the merchant facility provider for MOTO (card not present) transactions and you have to commit to shred all details once you charge the card. I guess this is not too bad considering my bank tells me exactly the same thing. I don't know if this has answered your questions, but that's how it works for me anyway. Cheers
  2. Hi Chris, No, that's not right. One of the advantages of e-Path is your site doesn't need to be PCI DSS compliant because it does not transmit, store or process credit card data. Your site doesn't even touch credit card data. No need for PCI DSS compliant on your website. So that's a hassle you don't have to worry about. But yeh, you will be handling credit card data so you need to handle it in a PCI compliant manner, exactly the same as you do when receving credit card details from a faxed order with payment, somone quoting you their credit card details over the phone on a phone order or via mail postal order or even if someone was to hand you their credit card in a face to face sale. Thanks
  3. Hi all, For those who are using e-Path (http://e-path.com.au) to accept credit cards online and process offline, there is a new oscommerce payment module avalable now. The new module includes a curreny code parameter (called "cur") which allows you to enter the country code of the currency your merchant facility will be charging credit cards in. It is being distributed free by e-Path so contact them with your gateway ID and they will send it to you. Install is pretty easy. You uninstall the old one through your Admin then upload the two new modules (they overwrite the old ones) then install via Admin. Happy sales everyone.
  4. Yes, you can take credit card details and process them offline from your oscommerce shop. Check out e-Path (http://e-path.com.au). They are a global manual gateway. There's a bit of a micro trend going on with a lot of small businesses going offline to process charges mainly because of security, but its also heaps cheaper. I believe you can only do this when you use a proper PCI compliant manual payment gateway though. Fraud is getting pretty insane now and real time online payment processors will promote all the great security they offer but in truth it is worth zip. If it fails and you fall victim to fraud watch them tell you they ain't going to compensate you and that's it your "bad luck". What rubbish is this. Pay Pal is pretty good cause they have some protection systems that wil compensate you, but they are expensive. Getting credit cards off the internet and charging offline I reckon is a good thing. You are in control. You get to decide what gets charged in to your merchant account becuase it is you who is doing it, not some anonymous scum the other side of the world while you are asleep. The other thing is people are starting to want their credit cards and ID details stopped from being permanently stored online now. Way too many details are being stolen from the internet now and people have a right to say NO. Manually charging offline gets all these credit cards off the internet. But there's good and bad with everything. I've just covered the positives but yeh you can for sure take credit cards online and transact them offline, really neat if you already have a terminal. Good luck
  5. You can't do this anymore without being fully PCI compliant certified. Your cart will need to be on a dedicated server which has its own dedicated hardware firewall if you are wanting to temporarily or permanently store cc data. This is why OSC gives the warning "Not for commercial use" etc on their manual module. There are a host of other requirements such as network security, security policies management etc but I won't get into any of that now. I know it all sounds painfully over the top and pretty ridiculous but I'm only telling you how it is. At the end of the day it's your choice. But all it takes is one card holder questioning things with the appropriate authority and you could be in serious hot water if you are using the manual module and are not fully PCI compliant certified to do so. You really can't mess with cc data any longer. Things have changed and while I personally don't think they have changed for the better the fact is that's the way it is now. If you are a developer who creates an OSC site for your website customer that uses the manual module and you've blatantly ignored the need for PCI compliance certification then in my opinion you deserve to be hit bloody hard. That would be pure negligence on your part. As well as possibly having to face a fine and/or a penality or having your ability to process Visa and Mstercard transactions withdrawn your own site customer could sue the hell out of you. I'd advise you (and everyone else) to play safe and simply use a proper PCI compliant manual payment gateway. Easy, safe and cheap, you don't have a worry in the world and you can charge cards offline manually like what you are wanting to do. Or use Pay Pal or use a real time payment processing gateway. It is just not worth the risk anymore. That's my 2c worth anyway.
  6. Absolutely correct Nick. If people have a merchabnt account they use to charge credit cards received by card not present means, i.e., from a proper PCI compliant manual payment gateway, a fax machine, physical mail order or over the telephone where they charge the card after they have had time to verify things themselves, then they only need to ensure their merchant account is enabled for this. Like I said before, some term this is MOTO (mail order telephone order) enabling your merchant account. Once this is done the merchant account (terminal or online virtual terminal) will not (it's not allowed to) require the CVV to be entered to charge the card, although it may still ask for it for those times as Nick has mentioned above. You will then not have to worry about anything to do with CVV because it is not part of the official scheme when you manually (MOTO) process credit cards. And you will be be complying with PCI (assuming your oscommerce site doesn't touch or see the cc data and you destroy the card data once you charge the card of course). Here's to staying safe everyone ... :thumbsup: Cheers
  7. The official line from PCI is you do not need to do anything to protect the CVV in a temporary or permanent stored situation. In fact, in PCI DSS v 2.0 they mention protection for PIN and CVV as "N/A". And why is this so you may ask ... Because you will NEVER have the CVV or PIN in the fist place, therefore, protecting something you don't have in your possession is "N/A". The CVV must NEVER NEVER NEVER be stored either temporarily of permanently, either encrypted or not, either broken up (truncated) or complete. In short, you can NOT capture the CVV in any way, shape or form under any circumstances. Period. People are getting mixed up with the "live" online processing of credit cards i.e., the direct live communication between gateway and the merchant account for processing of credit cards instantly on the internet - this DOES REQUIRE the CVV to be entered. But we are not talking about live online credit card processing. We are talking about capturing credit card details to enable the business owner to then charge the card via another means, perhaps offline or into their existing merchant account facility or into a terminal. It is important to understand the difference in order for you to follow what I am saying here. And there is a HUGE difference, one system transacts live online totally without you knowing, the other you control the charging and its cheaper. If you have a merchant account that "requires" the CVV to be entered and won't let you charge the card without it, then it is not a merchant account approved to charge card not present credit card payments received. You not only risk the wrath of acting illegally under PCI but if your merchant account provider finds out then I would not like to be you. Now, if your merchant account is approved to allow you to charge through it credit card payments received by card not present means - some term this as a MOTO enabled your merchant account - (mail order telephone order), then it can not possibly require the CVV to be entered. It may still ask for it but leave it blank and it will process the charge without it. But lets say you have a MOTO enabled merchant account or a terminal, one that allows you to charge card not present payments received, and it still requires you to enter in the CVV, it won't let you charge the card without the CVV. Well, dump that merchant account provider because they are about to be taken out of business by the card vendors themselves. Let me explain. For starters that would mean they are forcing you to act illegally under PCI. In otherwords, they are forcing you to somehow capture the CVV for you to have it in your possession in some way to have it to enter into your merchant account to charge the card. But this is 100% ILLEGAL under PCI - if you do that you are setting yourself up for fines and you could lose your right to processes Visa, Master Card and American Express Cards for good. If this is you then I suggest ringing your merchant account provider up and ask them directly .. "How do you suggest I capture and temporarily store the CVV so I will have it to enter into your merchant account facility when I charge the card?" They will not be able to answer that because what their advice would be would have to be to you would be for you to act illegally. And if they did this and Visa or any of the other card vendors found out about it, they would be finished, big time. If you are a developer and are setting something up for your client to manually capture the CVV, if and when they get caught they could simply put their hands in the air and say "its not our fault, our developer did this" so make sure you've got a huge amount of money in the bank to pay the fine!!! My three osc's do things manually, I like being in total control of what I accept online and I process offline into my MOTO approved terminal. I use a proper manual payment gateway to handle credit cards online. I'm not going to mention them because I don't want to be seen as promoting them as I've mentioned them in almost all of my posts so far (I don't want to get into trouble with moderators). My advice is simple, just make sure do things the rght way and make sure your merchant account provider is also doing things the right way. It's not that hard. Cheers
  8. No Chris, I believe you can be in any country and still use it. I found the following in their "About e-Path" page ... Cheers
  9. Just get http://e-path.com.au You will be instantly PCI compliant online and you can then process credit cards manually in your office. Hope this suggestion helps.
  10. Hi wkdwich, You say no lectures about PCI compliance but what you are talking about is totally NOT PCI compliant. For starters, use all the mods you like but NONE of them will make you PCI compliant. The only thing that makes you PCI compliant is PCI compliance certification itself. Your client's site looks like to be capturing CC data, therefore have you got the site on its own dedicated server? What type of dedicated hardware firewall appliance do you have for it? Have you established a secure and dedicated network? Have you had the site, its server, the network you are on audited by a third party external QSA. This is the ONLY way your clients site can be deemed to be PCI compliant. The CVV part of your question also confirms 100% you are NOT PCI compliant. It is an absolute priority stipulation that the CVV number must NEVER be stored, either temporarily of permanently. It can never be recorded in any shape or form, truncated, encrypted or not. PCI views CVV the same as PIN. I don't want to be rude but it angers me when people claim they know PCI. What you are doing is putting your client at MAXIMUM risk. And if caught the liability could very well rest with you .... time to buys some lotto tickets so you can afford the fine if you intend to stay with how you are doing things!! Don't get me wrong, I hate PCI and what its forcing us all to do. But you need to study up on it and even consult a PCI security specialist because what you are saying spells a massive fine because its about illegal under PCI as it can get. If your client wants to do things manually and not have any PCI issues, why not look at a PCI compliant manual payment gateway like http://e-path.com.au. Easy. Thank you H.P.
  11. Chris is correct. If your site so much as touches credit card data then it needs to be PCI DSS compliant. It doesn't matter if the card numbers are truncated (broken up), it doesn't matter what type of encryption you have, it doesn't matter what SSL you have, it doesn't matter even if the card details are being sent off to a gateway for processing. Only PCI Compliance certification makes you PCI compliant. And trust me you don't want to risk it. However, the solution for your particular issue is a lot easier than you think. Take a look at http://e-path.com.au. e-Path is a PCI DSS compliant manual payment gateway - I think ideal for what you are wanting to stay doing. I like the manual method myself. Its cheap, I stay in control over things, I can use my existing merchant terminal to charge cards and as far as what I do online goes I'm now PCI compliant. Cheers HP
  12. But that's exactly the same with any other bank. If you are with Westpac, NAB, ANZ, St George or any other merchant account provider, and they tell you the transaction you did six weeks ago through their system turned out to be fraudulent, the money is taken back out of your account and you are charged a charge back fee. It is the same for all banks. Funnily enough this is one of the reasons why I changed from live online credit card payment processing system and went manual, I get to check things first and I am in control over what is charged into my merchant accout. The result is I haven't processed a fraud payment since going manual. 100% fraud free so I don't even know what amount the Commonwealth charges as a charge back fee cause I've never had to pay it :D HP
  13. Hi comstech, I'll have a crack at ths for you .. There's a great deal of competition in the market place for merchant accounts facilities. And bank loyality means very little in the final equation. The decision to approve a merchant account application and its fee/% cost structure to you, which is deternmined on a case by case basis, has little to do with how long you've been with your bank. But it has everything to do with how long you've been in business and what type of industry you are in (amongst other things) because the bank needs to calculate risk. All merchant account applications I know of ask you for the bsb and account number of the account where you want funds depositied. This can easily be to an account you have with another bank. I have a manual merchant account with the Commonwealth Bank and get funds settled into my bank account with Westpac, no probs. Although I will be shifting everything to the Commonwealth sooon as Westpac are way behind the Commonwealth in so many areas, espeically understanding PCI compliance and security in general IMO. So to answer your question directly I would suggest you shop around, get quotes etc. it also depends on whether you want to go real time payment gateway or manual payment gateway as those services need different types of merchant accounts - big difference in cost there too. You need a payment gateway to act as the sender of data from your site through to the bank, assuming you are talking about a "real time" system that trascts online live. Most banks have their own real time payment gateway systems that obviously connect to their own merchant account services but you can get third party ones too. Yes. As far as I know e-Path offer a free courtesy professional instegration into oscommerce. I am using e-Path and the inexpensive eVolve Single manual merchant account from the Commonwealth bank even though I've been with Westpac for a little over 20 years and have all my accounts with Westpac. This will depend on which way you want to go, real time or manual. Some like real time because it is automated and if you are doing big numbers of transaction daily there's really no better way, but you don't have any control and geez its an expensive system. If your oscommerce cart transmits the credt card data to your real time gateway then you will also need to go through the process of obtaining offical PCI compliance certification for your site, its IP, the dedicated server its on and the network its connected to. Whatever you do don't try and operate any type of ecommerce venture online and accept credit cards without PCI compliance, trust me on this, just don't. I've gone the manual way, overall it is much cheaper, gives me total control over what I enter into my manual merchant account, is more secure and you can also use your banks manual merchant account to charge credit cards that also come to you over the phone and or fax. e-Path are also PCI compliant so I am accepting credit cards online in compliance to PCI - without having to lift a finger or pay anything extra. Sorry, can't help you with that one. Not sure if any of this info helps but I hope it does. HP
  14. HappyPappy

    eWay -

    Hi maclean, I sure will. eway is exactly where I will be going once I start to do high numbers of transactions per day. For the moment e-Path works well as I'm only getting a max of a few payments per day so its an easy and cheap system and I get to control things. I like your Beagle thing, actually, this sounds excellent. Count me in as a customer of yours in the future for sure. And again my apoligies for advancing a further comment on the post started by Securetronics. HP
  15. HappyPappy

    eWay -

    My apologies if I seem to have stepped in on a question about eway. When I saw this ... I wanted to mention this is not correct. and... I wanted to further mention there are many cheap manual merchant account services obtained directly from banks in Australia that allow you to do this. I use e-Path to accept payments online not just because its a lot cheaper but because I am not playing "Russian roulette" on the open internet where any anonymous character can enter any credit card and it will be attempted to be charged online into my merchant account without me knowing. I agree with what has been said, automation is great for some but for small businesses the risk is insane because you have no control. I like the idea of having full control over what goes into my merchant account and what doesn't. I haven't yet found an online real time credit card payment processing company that takes responsibility for its decision whether to charge a credit card where if it gets it wrong and it turns out to be a fraudulent payment they will reimburse for the cost of the loss and the charge back fees. Until there is I personally think the manual payment gateway method is the way to go. Only my opinion.
  16. HappyPappy

    eWay -

    Hi Securetronics, I don't know if I am reading you right but if you want to charge credit cards received by phone why not just get a cheap manual merchant account from a bank, like Commonwealth Bank's Evolve Single merchant account. It will cost you all of $29.00 per year (that's right - PER YEAR!!), plus the usual transaction % fees of course. It is a very cheap merchant account and you can charge into it credit cards recevied by phone, fax and even out in the field if you have laptop. I have one. I just log in and enter the card details and its done. Very easy and cheap. Then for my oscommerce carts I've got e-Path to accept credit card payments online. e-Path is cheap too and you will be PCI compliant online. Just charge the cards into your manual merchant account like you do for phone and fax payments. e-Path do the pro integration into oscommerce for you free. This is the system I have and I get more paying me over the phone than I do the internet. It works really well for me. Hope this helps HP
  17. Hi, Looks like your client is using osCommerce default cc capture system. Have you or your client looked at e-Path (manual payment gateway). I don't want this to sound like a plug but I've moved to e-Path from PayPal because I wanted to enter credit cards into my merchant account myself. Stuff that real time rubbish - way too many charge backs and fake transaction problems and the cost was insane. Before PayPal I had a real time gateway set up which was even worse. Anyway, the e-Path system is very cheap and integrates perfectly with osCommerce and your client off-loads liability in handling credit cards on their site. This is something that was always a concern for me wanting to do things manually, until I found e-Path. You can't mess with the new PCI DSS rules. I pay all of $28.00 per year for a basic manual merchant account at my bank so for me this combined with e-Path is an unbelievably cheap way to accept credit cards online properly. Only a suggestion. Cheers HP
  18. Hi everyone, Just a quickie for those who use the e-Path payment gateway. They have just launched a new v4 of their manual gateway and from what I can see its a totally re-vamped front end and the encryption process seems a little quicker now. If you already have their gateway, this new one is worth upgrading to, if not just for the PCI DSS statements alone which helps boost customer confidence heaps. New replacement payment modules are now being provided directly by e-Path but because each account has its own unique gateway URL you need to quote your e-Path ID number to get one made up for you. No cost for replacement modules and no cost to upgrade to their new system which is a relief. What's interesting is you can also book a free pro install of the new payment modules into your osCommerce (they offered this to me). Cheers HP
  19. Hi there, I'm trying to create a simple module that takes people to a remotely hosted payment page as the final process after OSCommerce has collected all details of the order. The payment page people are e-path (http://e-path.com.au). Its a manual gateway so there is no processing. Its a simple case of to the payment page and back to OSCommerce after they have entered their credit card details. I have been playing with the Link Point Module with no luck. OSCommerce only needs to send the payment page the following info: return URL - so it comes back to OSCommerce description - what the person is buying amount - the amount order number - the unique OSCommerce order number I've been at it now for a couple of weeks and my head is seriously hurting. So if anyone could shed a tiny bit of light onto what I should be doing, that would be very much apprecaited. Maybe the Link Point module is the worng one to try to modify? Any help would be very greatfully apprecaited. Thank you everyone.
×
×
  • Create New...