views:

75

answers:

1

I am developing a rails site that will allow a group of merchants (5 - 10) to accept credit card orders online. I plan on using the Activemerchant gem to handle the processing.

In this case, each merchant will have their own merchant accounts to handle the payments. Storing banking information like that is not something I am a fan of. This could be solved by queing orders and allowing the merchant to log in to the site, input their credentials and process the order.

However, if I go that route then it seems to me that I would have to store the customers' credit card information temporarily until the merchant has the opportunity to log in and process the order, which to me is the greater evil.

Has anyone dealt with this situation? If so, what are the options available and what pitfalls should I look out for? In my mind, security customer credit card information is priority number one with the merchant account information a close second.

+1  A: 

When you create the gateway object with ActiveMerchant, you specify the merchant's information. So I'd think that it'd work ok for your sw to place transactions on behalf of multiple merchants. Just keep their information in a db and use as needed. I'd recommend that you encrypt the merchant's information.

See gem attr_encrypted

I'm not sure why you don't want to store the merchant's information. Maybe you should say more about this.

If the merchant is using Authorize.Net, you just need the Authorize.net login and password for each merchant.

I'd recommend that you standardize all of your merchants on a single payment gateway such as Authorize.net or one of their competitors. It's hard enough dealing with one gateway, why deal with more than one. Also, you can easily become a reseller for authorize.net and ease the process for your merchants.

You're right, you really don't want to delay the credit card transactions until a merchant login in and supplies their merchant info:

  1. Depending on how often the merchant logs in, you'd be breaking the merchant's card agreement about timely charges and batching.

  2. You'd have no way to provide speedy feedback to the end customer--did their charge succeed or not?

  3. You'd have to store the complete credit card number and other information. That requires high level of pci compliance. Not worth it. And you are forbidden from storing the CVV number, no matter what. So depending on your other information from the end customer, your charges would have lower qualification (higher transaction costs to your merchants).

My recommendation is to store the merchants' information. -- Encrypt it and do not let a merchant (or anyone else) see it. Only let the merchants replace their info, do not let them see the current info in order to edit it. That will lessen security risk of the wrong person seeing the merchant's info.

Larry K
Larry, thanks for your thoughts, I suppose you are right about the merchant login info - I am just paranoid about other people's information.I am going to give your suggestions a try - much appreciated.
sosborn