No Native Offline Credit Card Processing?

[buick66]

Dear Forum,

After searching in vain in the ZC v1.5.4 Administrative interface & etc for the option to simply have the customer's info mailed to the office for manual processing prior to shipment, I am somewhat at a loss for determining how this might be done without a great deal of fanfare, ie; Work.

It seems very strange that this option appears to be unavailable, and that the info must needs be subject to an actual gateway, maybe I simply overlooked it?

Any insight from the esteemed panel of ZC wizards would be much appreciated as I am also foolishly under a pressing deadline, albeit from a kind and understanding Client-

Please Advise, Very Truly-

-A-

[dbltoe]

In the Great State of Texas (and the other 49 as well) it is against PCI standards to do so. If you are not concerned with the security of the customer's data or violating the PCI standards/TOS of your merchant account, there's https://www.zen-cart.com/downloads.php?do=file&id=893.
Even the author would suggest other ways to do this. PayPal Express being one of them.
Be sure to read ALL the information under Description.
The decision is yours. IF you go with this, make sure you at least get a quality SSL to prevent the scriptkiddies from gathering your customers' data.

[RodG]

In the Great State of Texas (and the other 49 as well) it is against PCI standards to do so.

WOW. That's news to me. I have always been under the impression that the PCI standards and requirements were international. Now you are telling me that Texas in particular, and the other 49 States actually have their *own* rules and requirements.

Please provide the source of your information.

It is also NOT against the PCI rules for an eCommerce store to be able to process Credit Cards directly. This would be totally illogical. The rules/standards specify the conditions where this is both allowed and disallowed.

Making a blanket statement such as you have done is both incorrect and misleading.

If you are not concerned with the security of the customer's data or violating the PCI standards/TOS of your merchant account, there's https://www.zen-cart.com/downloads.php?do=file&id=893.

This module, in itself, doesn't pose any security risk to the customers data. It doesn't violate any of the PCI requirements either.

It *does* need to be used in *conjunction* with PCI standards and requirements though.

Even the author would suggest other ways to do this. PayPal Express being one of them.

What the Author *actually* said/wrote was

It is reliable, capable and extremely easy to use, but is a very basic way to do business over the internet and is therefore recommended for use by tiny stores only. Anyone serious about selling on the internet should use a payment gateway, such as that supported by our very own Sage Pay modules.
[/QUOTE]

Although I've no numbers or reference to back up what I'm about to say, I have been 'informed' many times over the years that the 'big stores' (AKA, Serious sellers) don't use ZenCart anyway - Ergo, I'll assume that most of us using ZenCart, although we are 'serious', are typically just small/tiny stores. Therefore, rather than suggesting 'other ways', he is in fact stating that this module is a good recommendation, not a bad one.

It is a bad recommendation for the larger stores where it will be a pain to have to manually process the CC payments for each order. This is no hardship for those of us with only half dozen (or less) sales per day.

Be sure to read ALL the information under Description.

Yes, but what is read needs to be taken in *context*. Someone here has taken this recommendation out of context. ;-)

The decision is yours.

...And if you are a 'small' trader with your own merchant account (as I suspect the OP is) then using this module and this method is probably going to be one of the better decisions.
The fees charged by 3rd party processors, such as PayPal, Sage Pay, and others can often be several times the fee that would be charged by your own merchant facility. It's hard enough trying to make a profit from a small store as it is, it is even harder if you have to pass more of those profits into a 3rd party especially when there is nothing to be gained.

IF you go with this, make sure you at least get a quality SSL

WTF is a 'quality SSL'? How does this differ from a bad quality one?

to prevent the scriptkiddies from gathering your customers' data.

What utter nonsense.
I can appreciate what you are trying to say here, but if you knew anything about what SSL is, what it does, and more importantly, what it *doesn't* do, you would know that the use of (or lack of use) of SSL will not have any effect whatsover in regards to what scriptkiddies can and cannot do. You are in effect telling people to Ride the Train rather that drive their car because it will protect against those people that are interested in hijacking airplanes. The logic is flawed.

.... So, to the OP, please ignore the "dbltoe" type scaremongering. You have your own merchant account (I'm assuming). You will also have a booklet of some sort that details the terms and conditions of use, and I will assume that you are at least somewhat familiar with PCI requirements. The manual processing module *doesn't* break any of the PCI rules or requirements (That I'm aware of). It doesn't pose any security or privacy concerns, but it does need to be used in conjunction with SSL and any other PCI requirements relating to the collection and storage of the data.

Cheers
RodG

[dbltoe]

Well...
Now I can die happy. I've made the list.

[mc12345678]

Just gonna slip in here: as far as "mailing" the payment, there is the check/money order option which could be modified/cloned to offer the ability of a customer to checkout and be informed about how to send payment...

[RodG]

Well...
Now I can die happy. I've made the list.

List? I don't have a list. Not really needed. Sooner or later those that would be on it will put up their hand to attract my attention anyway. :-)

It's just a matter of time. <g>

Cheers
RodG

[stevesh]

Unless RodG can prove me wrong, I wouldn't do business with a site I knew was processing cards manually. There are indeed security and privacy issues. One company I worked for allowed telephone customers to provide their CC numbers to our office people for use in subsequent purchases. Invariably, those numbers ended up on Post-It notes stuck to monitors, visible to passersby and cleaning crew members. I don't know exactly how the OP handles the transfer of CC numbers from Zencart or telephone customers to his merchant account, but I'd guess the most common method is to write it down on scratch paper, which is eventually tossed in the wastebasket.

[RodG]

Unless RodG can prove me wrong, I wouldn't do business with a site I knew was processing cards manually.

I'm sure this was just bad wording, but how could I possibly prove whether you would do business with a site processing card manually or not? This is a choice you have obviously made, but I wouldn't know if you actually stick to this choice or not.

There are indeed security and privacy issues.

Blah, blah, blah, blah. The things said and done in the name of 'privacy and security' never cease to amaze me. It take it all with a pinch of salt.

The day that Hosting Providers *dissallow* FTP, and start to *allow* SSH and/or SFTp as the default file transfer protocol will be the day that I will finally accept that there is some sort of alignment between what people think and say about security vs what they actually *do* about security.

MOST PEOPLE ARE HYPOCRITES in this regard.

I'm sure I must be the only person on the planet that will not only shop in stores with no SSL and/or stores that manually process CC's but I'm also the only person to admit to it.

I know I'm somewhat of a unique character, but I'm not THAT unique.

One company I worked for allowed telephone customers to provide their CC numbers to our office people for use in subsequent purchases.
Invariably, those numbers ended up on Post-It notes stuck to monitors, visible to passersby and cleaning crew members.

So on the basis of one company that not flaunted their terms of service with their merchant provider you have decided to avoid *all* stores, sites and businesses that you can identify as doing manual transactions.

Thats a a bit over the top I reckon. Do you also avoid all other online purchase because one company/business does something they shouldn't?

I don't know exactly how the OP handles the transfer of CC numbers from Zencart or telephone customers to his merchant account, but I'd guess the most common method is to write it down on scratch paper, which is eventually tossed in the wastebasket.

Of the millions(?) of online merchants that accept online CC payments, how do you actually determine which of those are feeding the data directly into their own terminal device vs those that record the details and manually enter them into the terminal at a later time?

Seriously, you have no way to tell. No one does. So exactly how do YOU determine which stores you need to avoid? You can't.

I consider your claim to be just another 'I speak and do security' to be just a matter of lip service. Sorry but true.

Cheers
RodG

[stevesh]

Just expressing an opinion, however grammatically incorrect. Obviously (obvious to everyone but you, I'd guess), I meant that unless RodG can prove my thinking incorrect (he hasn't done so yet), I'll stay away from sites which I know use manual CC processing. The example I gave of the company I worked for was just an example of how such processing could expose my (and your) CC information to people who shouldn't have it. Again, I think everyone reading this thread, save Rod, understood that.

[RodG]

Hey Steve, Unless you have memory of an exchange I've long forgotten, I don't think I've ever had a dispute with anything you've ever said before, and I probably wouldn't be having this discussion with you now other than for the fact that you challenged me to prove the unprovable. <g>

On reflection, I probably shouldn't have even tried, but we are here now, soo.....

Just expressing an opinion, however grammatically incorrect.

Please. I have never, and will never intentionally base any of my arguments or discussions on Grammar or Spelling.
True, bad grammar could easily make me misunderstand an important point, but I really don't think that is the case here.

Obviously (obvious to everyone but you, I'd guess),

Whether something is obvious to me or not is irrelevant. Firstly, one of the points of a discussion is to help make the non obvious obvious, and secondly, you *should* know my history by now. I will often play 'devils advocate' to either make a point or advance the discussion.

I meant that unless RodG can prove my thinking incorrect (he hasn't done so yet),

I have as much chance of proving this than I did with your 1st 'challenge' which was to prove whether you do what you say you do or not.

I'll stay away from sites which I know use manual CC processing. The example I gave of the company I worked for was just an example of how such processing could expose my (and your) CC information to people who shouldn't have it. Again, I think everyone reading this thread, save Rod, understood that.

Again, this is personal choice that you have made, and you even have a reason for making it. I've no issues with that. I too would also avoid any merchant that I know is party to this kind of practice, regardless of whether it is against their merchant terms or service or not.

I'm NOT going to limit this choice to just those merchants using manual processing though. I will extend this to any merchant that I *know* is, or has done the wrong thing(s) in this regard - Even those that only use PayPal Express will be avoided in my books if I know that they leave my personal info on sticky notes in their offices (or similar bad practice).

So, on this basis, I will submit that your thinking *is* incorrect, in that you are considering the security weakness here is due to the *manual processing* rather than human stupidity and lack of following the rules.

Rhetorical question: If you knew of a merchant (or even many merchants) using a payment gateway (fully automatic processing), and those merchants sold your name and address details to other parties, would you refuse to deal with Just those merchants, or would you refuse to shop with any store that uses a fully automatic payment system?

The question is rhetorical, because there is only one sensible answer. It is the *merchant* that you/we need to worry about, not the method of payment.

....and this brings me back to the point I was trying to make in my previous reply .. namely, how do you/I/we know if a CC authorised merchant is using an automated processing system or a manual one? The fact is WE CAN'T.

Yes, we can often/easily determine if/when a payment gateway or 3rd party processor is being used, its a bit of a no brainer, but for a merchant that does their own processing there is no way for the end user to know). Ergo, I now resubmit to you that although you claim you won't deal with a business doing manual processing, unless you verify that the stores you purchase from are using a 3rd party gateway (and I'm guessing you don't), then your claim/statement is still 'talk' rather than 'action'.

In addition to this, if you have used your CC to pay for something over the phone, you are dealing with a merchant using a manual system. Simply no way to avoid this.

So, if you *never* use CC to pay by phone, and if you *do* really check that every store you buy from is using a 3rd party processor, then I owe you an apology, as it means you really do practice what you preach. It will also place you in a very small minority group.

Cheers
RodG