HSBC Payment

**Blaze Falconburger** · 12 Feb 2008, 04:32 PM

I've had a quick search for HSBC payment modules, this payment method doesn't seem too popular. I've got the info coming from HSBC to use their card services for payment, would I be better just going for Protx?

**schoolboy** · 12 Feb 2008, 04:45 PM

From what I know about HSBC payment modules is that there aren't any 3rd party ones.

HSBC keeps this very close to its chest and I understand that when you've signed every dotted line with them for a merchant account, only then will they provide you with the code necessary to access their payment gateway.

**Blaze Falconburger** · 12 Feb 2008, 04:57 PM

But there's no reason why it shouldnt work with Zen?

It is very hard to get straight answers out of them as to how it works and pretty much all I can find when searching this forum are tales of woe!

Can you confirm if we are able to integrate the inputting of card details within our site without having to rediect customers off to the hsbc payment page?

**schoolboy** · 12 Feb 2008, 05:35 PM

All credit card clearance companies have strict rules about the methods webshop owners employ to verify credit card payments. This for obvious reasons of security.

Some webshop owners use EPOS (also known as EFTPOS) terminals - particularly if they have bricks-and-mortar shops where they sell their goods too, and what they do in this case is they make use of the OFF-LINE credit card systems.

Zencart has a built-in offline credit card payment module that simply captures the card details, splits it into dbase and email components (to avert having a full credit card number and its CVV transmitted over the internet) and then the data is sent to the shop owner.

The shop owner "BLENDS" the two pieces of info together (one from the dbase and the other from its matching email) then they run the payment through their EPOS terminal.

This is known as a CNP (Customer Not Present) transaction.

It requires that you have a merchant agreement with the relevant bank, and that they have issued you with an EPOS terminal.

BUT... as I say, they have strict rules about how these things are used.

Connor Kerr has written a Credit Card module that is a bit "safer" than the standard zencart one, but he is the first to advise that it is not entirely safe to use, and that by using it, users may be contravening their merchant agreements with their bank.

Some web hosts DO NOT permit offline CC modules to be used on shared servers.

Thankfully, there are alternatives. For safe ONLINE CC payments, you can easily set up systems such as Protx and PayPal. With huge numbers of people familiar with PayPal, I have found it to be an excellent way of taking card payments without the huge hassles normally associated with CC clearing by the big banks such as HSBC.

Furthermore, Zencart is now fully "verified" with PayPal and DrByte has devoted many long hours developing the PayPal module which works extremely well.

You will also be able to link your HSBC bank accounts to PayPal, so all in all, PayPal is a viable option.

**Blaze Falconburger** · 12 Feb 2008, 05:58 PM

We haven't gone for an EPOS terminal as we only need online payments, and I just refuse to use paypal regardless due to a previous shop and grief with Paypal. Because we don't need the terminal the fees we've been offered by HSBC's merchant services blow any competition into the water big time.

Though we're on a shared server I have a dedicated IP, SSL cert on it's way and also have root access to the win box it's on so config of the server isn't a problem. I just wanted to keep the customers on my site for the entire duration of the transaction, not have them redirected to HSBC/Other site for the CC details then passed back.

**CJPinder** · 12 Feb 2008, 06:13 PM

Originally Posted by Blaze Falconburger

I just wanted to keep the customers on my site for the entire duration of the transaction, not have them redirected to HSBC/Other site for the CC details then passed back.

If you want to take credit card details directly on your site then you should be PCI DSS compliant to honour your contract with the bank/payment handler/visa/mastercard etc. You should check with your host, bank and payment handler to see what they require for this. Some people ignore the requirement to be PCI DSS compliant but that is a risk that could mean incurring fines and loss of merchant account.

Regards,
Christian.

**Blaze Falconburger** · 12 Feb 2008, 06:26 PM

Thanks for the info, just looking up specs on PCI DSS, looks like it shouldn't be too hard to comply with - coming from a network/server seccy background. I'm meeting with the bank later this week so can discuss their requirements in detail then but was just trying to get information together beforehand, thanks for your help.

**flobster** · 15 Feb 2008, 10:05 PM

I'm currently setting up a site using Conor's mod, and using Protx as the payment processor with a HSBC merchant account.

As soon as the application is pass for the merchant account i will have a look at their API code as that is another possible options but i think i will go for Conor's mod as it seems proven, Protx is also a very good site for card processing.