Credit Card setup question

[Angel Devoid]

Hi,
Ok, so I have followed the initial instruction for setting up my ssl and https docs for credit card stuff. But I'm still a bit foggy on what to do next to get credit card payments working on my site.

1. Do I need a "gateway" setup to communitcate with my ssl company?
2. how to I configure that gateway and link it to my merchant account with my bank.

Event a short check list of what I should be installing or configuring would be great!!

Thanks

[theveed]

I'd like to know more about this as well. Our store (physical) has a merchant account and swipe machine, what else do I need to get it hooked up to our online store? Thanks.

[24#Karat_fan]

to get credit card payments working you have 3 options

option 1 requires a merchant account and a gateway such as you would find Here

then using the aproporiate module.

option 2 is where you already have a merchant account and a swipe machine.

you will want to uset he stock credit card module ( labeled as just credit card in admin )

and add in the split email address.
you will then match the credit card email to the invoice to get the entire number cvv and exp date to enter into your swipe machine.

Option 3 is to simply use the paypal IPN option to let customers enter their credit card information on the paypal site after being directed there from your store with all order information intact

[jumbuck2]

You could go get a manual MOTO merchant account. Banks have them for as little as $10 per month. They don't advertise them cause I don't think they make much money out of them. But a merchant account is awesome to have for many reasons.

Then get e-Path, http://e-path.com.au - a manual payment gateway. You won't need any SSL and you won't be paying any transaction fees either. Its a great cheap way of doing things and with the merchant account you can accept phone orders too. Check out how Zen works when everything gels - http://thefruitboxshop.com/shopping_carts.html

If you already have a merchant account with an EFTPOS terminal then just get a manual payment gateway like e-Path and you are set. I've never liked the inbuilt credit card capture system with Zen, the SSL is an extra expense and the way credit card numbers are handled puts it at odds with the new P.C.I. (Payment Card Industry) security standards coming out (in Australia anyway). The PCI standards are pretty tuff and deals with how credit card numbers are stored on servers and in databases. PCI is a joint thing with Visa, Mastercard and a few others I think.

You are safe with a merchant account and e-Path in my humble opinion plus you'll be saving a fair bit too.

Cheers

[24#Karat_fan]

SSL is an extra expense,
but you might notice that most people wont put their information in a non secure site.

and the fact that only 1/2 of the number is stored in the db and the cvv is NOT means that it is perfectly legit and safe.

just for my own knowledge how much a month is this epath gateway
you can get an ssl for $20 a year,

[jumbuck2]

SSL is an extra expense,
but you might notice that most people wont put their information in a non secure site.

and the fact that only 1/2 of the number is stored in the db and the cvv is NOT means that it is perfectly legit and safe.

just for my own knowledge how much a month is this epath gateway
you can get an ssl for $20 a year,

Mate I hear what you say but people add their email addresses to insecure sites all the time. Don't know of man contact forms on SSL.

As far a payments go they do this on the e-Path secure payment page, Ttally under SSL at e-Path's enxpense ot the cart owners cost.

And on the point of security, what is safe to you is not safe to Visa and Mstercard. Sending a credit card number or any part thereof by normal email will get your merchant account suspended straight away. Having a credit card number or any part thereof stored non-encrypted in a databse on a server that is not totally isolated and decked out with security provisioning that would make your head spin, will get your merchant account sustpended.

I've been through this new PCI standard and its tuff. VERY tuff. You can argue black and blue that its safe, your argument isn't going to change the new security standards. Sorry.

[24#Karat_fan]

Sorry you mis-understood me
people dont enter name address and phone in non secure sites.
thats what I was refering to NOT email address....

Still wondering how much a month this epath gateway service is?

[jumbuck2]

I think its $225.50 per year, no transaction costs.

But its compliant to PCI standards, that's my point. I know you think the split system is safe, and there is a good argument for it. But the fact is Visa and Mastercard reckon anything that does not comply with the new PCI rules governing the accepting of credit card details online is NOT safe and NOT acceptable. And the way the inbuilt credit card payment system in Zen works it just doesn't comply from what I am reading. There is too much at risk, you could get your merchant account suspended and there is a part in the PCI standards that says the merchant account holder will be liable if any loss is incurred. I can't imagine this but its worrying nonetheless.

So this is my point. If Visa and Mastercard say you can accept credit cards but this is how you MUST do it, then you and I are really not in a position to argue about it are we?

Cheers

[24#Karat_fan]

Do you have a link to this information,

After contacting my Merchant account company there is no restriction on a partial number stored in a database unencrypted

the rules accordint to them are the entire number cant be stored and neither can the CVV #

partial numbers are stored all the time

example
you paid with visa number
xxxx-xxxx-xxxx-1234
exp
01/01

[DrByte]

If ePath works for you in Australia, then that's what you should go with.
I hope you've tested the module to be sure nobody can spoof an order by simulating the return codes and end up with a free purchase without even paying anything.

This is a risk not posed by payment modules that collect the card number by SSL, then in the background send it to the processor securely while the customer waits for authorization, and then only releases the order (and immediately) when authorization is obtained. These modules do not store the CC number -- they only send it for authorization.

The "basic" simple CC module in Zen Cart that splits numbers and emails only a portion of them, is not recommended -- for all the security reasons you mention. We are considering removing it.


Anyway, we're digressing. My point is that while ePath is one option if you're in Australia, there are several other options available, which are very secure and very compliant. However, there are also many contributed payment modules that are NOT as secure or compliant. You should check out the module with your merchant service to be sure they're happy with it and that it will not put you at risk of being denied support in the event a fraudulent card is processed or a chargeback occurs.

As always, use these things at own risk, including ePath.