views:

4668

answers:

11

This question talks about different payment processors and what they cost, but I'm looking for the answer to what do I need to do if I want to accept credit card payments?

Assume I need to store credit card numbers for customers, so that the obvious solution of relying on the credit card processor to do the heavy lifting is not available.

PCI Data Security, which is apparently the standard for storing credit card info, has a bunch of general requirements, but how does one implement them?

And what about the vendors, like Visa, who have their own best practices?

Do I need to have keyfob access to the machine? What about physically protecting it from hackers in the building? Or even what if someone got their hands on the backup files with the sql server data files on it?

What about backups? Are there other physical copies of that data around?

Tip: If you get a merchant account, you should negotiate that they charge you "interchange-plus" instead of tiered pricing. With tiered pricing, they will charge you different rates based on what type of Visa/MC is used -- ie. they charge you more for cards with big rewards attached to them. Interchange plus billing means you only pay the processor what Visa/MC charges them, plus a flat fee. (Amex and Discover charge their own rates directly to merchants, so this doesn't apply to those cards. You'll find Amex rates to be in the 3% range and Discover could be as low as 1%. Visa/MC is in the 2% range). This service is supposed to do the negotiation for you (I haven't used it, this is not an ad, and I'm not affiliated with the website, but this service is greatly needed.)

This blog post gives a complete rundown of handling credit cards (specifically for the UK).

+2  A: 

There's a lot to the whole process. The single easiest way to do it is to use services similar to paypal, so that you never actually handle any credit card data. Apart from that, there's a quite a bit of stuff to go through to get approved to offer credit card services on your website. You should probably talk with your bank, and the people who issue your merchant ID to help you in setting up the process.

Kibbee
+8  A: 

Paypal is your easiest and cheapest option. You'll need to set up an integration with them, but they'll do. Authorize.net and Braintree have their own charms, but you can worry about them later.

At a minimum, you'll need a database table to store your credit card information. You'll want to keep the credit card numbers encrypted (using SHA256 and a different salt (also kept in the db for each cc number -- this will protect you against rainbow table attacks) and you'll need to make sure you don't store the security code number past the authorization.

As for implementing a credit card processing solution; there's no shortage of e-commerce / shopping cart package, from ZenCart to ActiveMerchant. Take a look at your expertise and your background, and pick what makes sense for you.

EDIT: you may also want to look at "How to safely store a password" which contains some discussion about how clever you want to be about your encryption.

Will Sargent
SHA256 doesn't encrypt, it hashes.
Pavel Chuchuva
+1  A: 

As others have mentioned the easiest way into this area is with the use of Paypal, Google checkout or Nochex. However if you intend to to a significant amount of business you may wish to look up "upgrading" to higher level site integrations services such as WorldPay, NetBanx (UK) or Neteller (US). All of these services are reasonably easy to set up. And I know that Netbanx offers convenient integration into some of the off the shelf shopping cart solutions such as Intershop (because I wrote some of them). Beyond that you are looking at direct integration with the banking systems (and their APAX systems) but thats hard and at that point you also need to prove to the Credit card companies that you are handling the credit card numbers securely (probably not worth considering if you are not taking $100k's worth per month).

Working from 1st to last the cost/benefits are that the early options are much easier (quicker/cheaper) to set up put you pay quite high handling charges for each transaction. the later ones are much more costly to set up but you pay less in the long run.

The other advantage of the most of the non dedicated solutions is that you don't need to keep encrypted credit card numbers secure. Thats someone else's problem :-)

Vagnerr
+2  A: 

Perhaps I phrased the question wrong, but I'm looking for tips like these:

  1. Use SecurID or eToken to add an additional password layer to the physical box.
  2. Make sure the box is in a room with a physical lock or keycode combination.
Michael Pryor
+124  A: 

I went through this process not to long ago with a company I worked for and I plan on going through it again soon with my own business. If you have some network technical knowledge, it really isn't that bad. Otherwise you will be better off using Paypal or another type of service.

The process starts by getting a merchant account setup and tied to your bank account. You may want to check with your bank, because a lot of major banks provide merchant services. You may be able to get deals, because you are already a customer of theirs, but if not, then you can shop around. If you plan on accepting Discover or American Express, those will be separate, because they provide the merchant services for their cards, no getting around this. There are other special cases also. This is an application process, be prepared.

Next you will want to purchase an SSL certificate that you can use for securing your communications for when the credit card info is transmitted over public networks. There are plenty of vendors, but my rule of thumb is to pick one that is a brand name in a way. The better they are known, the better your customer has probably heard of them.

Next you will want to find a payment gateway to use with your site. Although this can be optional depending on how big you are, but majority of the time it won't be. You will need one. The payment gateway vendors provide a way to talk to the Internet Gateway API that you will communicate with. Most vendors provide HTTP or TCP/IP communication with their API. They will process the credit card information on your behalf. Two vendors are Authorize.Net and PayFlow Pro. The link I provide below has some more information on other vendors.

Now what? For starters there are guidelines on what your application has to adhere to for transmitting the transactions. During the process of getting everything setup, someone will look at your site or application and make sure you are adhering to the guidelines, like using SSL and that you have terms of use and policy documentation on what the information the user is giving you is used for. Don't steal this from another site. Come up with your own, hire a lawyer if you need to. Most of these things fall under the PCI Data Security link Michael provided in his question.

If you plan on storing the credit card numbers, then you better be prepared to put some security measures in place internally to protect the info. Make sure the server the information is stored on is only accessible to members who need to have access. Like any good security, you do things in layers. The more layers you put in place the better. If you want you can use key fob type security, like SecureID or eToken to protect the room the server is in. If you can't afford the key fob route, then use the two key method. Allow a person who has access to the room to sign out a key, which goes along with a key they already carry. They will need both keys to access the room. Next you protect the communication to the server with policies. My policy is that the only thing communicating to it over the network is the application and that information is encrypted. The server should not be accessible in any other form. For backups, I use truecrypt to encrypt the volumes the backups will be saved to. Anytime the data is removed or stored somewhere else, then again you use truecrypt to encrypt the volume the data is on. Basically where ever the data is, it needs to be encrypted. Make sure all processes for getting at the data carries auditing trails. use logs for access to the server room, use cameras if you can, etc... Another measure is to encrypt the credit card information in the database. This makes sure that the data can only be viewed in your application where you can enforce who sees the information.

I use pfsense for my firewall. I run it off a compact flash card and have two servers setup. One is for fail over for redundancy.

I found this blog post by Rick Strahl which helped tremendously to understand doing e-commerce and what it takes to accept credit cards through a web application.

Well, this turned out to be a long answer. I hope these tips help.

Dale Ragan
Perfect answer. I hope others add to it.
Michael Pryor
One of the best I've seen.... +1
Frederic Morin
@Michael Pryor: If it's so perfect, why do others need to add to it? Huh???
donut
@donut: Because time moves on, and answers rarely remain static.
Anonymous Type
+14  A: 

Ask yourself the following question: why do you want to store credit card numbers on a publicly accessible webserver in the first place? Trust me, you don't. Even if you think you do, you don't. That's what accounting software is for. Furthermore, you're looking at some serious liability if your webserver ever gets hacked.

Having said all that, I have written an app that stores credit card numbers online temporarily (since the transactions were processed offline). Here's a good way to do it:

  • Get an SSL certificate!
  • Create a form to get CC# from the user.
  • Encrypt part (not all!) of the CC# and store it in your database. (I'd suggest the middle 8 digits.) Use a strong encryption method and a secret key.
  • Mail the remainder of the CC# to whoever processes your transactions (probably yourself) with the ID of the person to process.
  • When you log in later, you will type in the ID and the mailed-out portion of the CC#. Your system can decrypt the other portion and recombine to get the full number so you can process the transaction.
  • Finally, delete the online record. My paranoid solution was to overwrite the record with random data before deletion, to remove the possibility of an undelete.

This sounds like a lot of work, but by never recording a complete CC# anywhere, you make it extremely hard for a hacker to find anything of value on your webserver. Trust me, it's worth the peace of mind.

Check out the comment Michael left for Sam Wessel below.
Dale Ragan
+11  A: 

The PCI 1.2 document just came out. It gives a process for how to implement PCI compliance along with the requirements. You can find the full doc here:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Long story short, create a separate network segment for whichever servers will be dedicated to storing CC info (usually DB server(s)). Isolate the data as much as possible, and ensure only the minimum access necessary to access the data is present. Encrypt it when you store it. Never store PAN's. Purge old data and rotate your encryption keys.

Example Don'ts :

  • Don't let the same account that can lookup general info in the database look up CC info.
  • Don't keep your CC database on the same physical server as your web server.
  • Don't allow external (Internet) traffic into your CC database network segment.

Example Dos:

  • Use a separate Database account to query CC info.
  • Disallow all but required traffic to CC database server via firewall/access-lists
  • Restrict access to CC server to a limited set of authorized users.
Zak
Note that PCI-DSS requirements apply to all systems that card data *passes through* and not just where it is *stored*. The same security restrictions and requirements therefore also apply to the web-server/app-server (and sites belonging to all other vhosts on those machines) and all other hosts on the same network-segment as those machines.
Cheekysoft
Absolutely true
Zak
+6  A: 

I'd like to add a non-technical comment that you may wish to think about

Several of my clients run e-commerce sites, including a couple who have moderately large stores. Both of those, whilst they certainly could implement a payment gateway choose not too, they take the cc number, store it temporarily encrypted online and process it manually.

They do this because of the high incidence of fraud and manual processing allows them to take additional checks before filling an order. I'm told that they reject a little over 20% of all their transactions - processing manually certainly takes extra time and in one case they have an employee who does nothing but process transactions, but the cost of paying his salary is apparently less than their exposure if they just passed cc numbers though an online gateway.

Both of these clients are delivering physical goods with resale value, so are particularly exposed and for items like software where a fraudulent sale wouldn't result in any actual loss your mileage would vary, but it's worth considering above the technical aspects of an online gateway if implementing such is really what you want.

Cruachan
This is a really useful comment, something I never considered. Thanks
0plus1
+4  A: 

Why bother with PCI compliance?? At best you'll shave a fraction of a percent off your processing fees. This is one of those cases where you gotta be sure this is what you want to be doing with your time both upfront in development and over time in keeping up with the latest requirements.

In our case, it made the most sense to use a subscription-savy gateway and pair that with a merchant account. The subscription-savy gateway allows you to skip all the PCI compliance and do nothing more than process the transaction proper.

We use TrustCommerce as our gateway and are happy with their service/pricing. They have code for a bunch of languages that makes integration pretty easy.

denton
One reason would be to avoid being held hostage by the payment gateway, where if you want to switch to another gateway, the previous gateway probably won't give you access to all the CC info they have of your customers, thus forcing you to ask customers for the CC details on purchase with the new payment gateway. Go to step 1. :)
Zabba
+1  A: 

Be sure to get a handle on the extra work and budget required for PCI. PCI may require huge external audit fees and internal effort/support. Also be aware of the fines/penalties that can be unilaterally levied on you, often hugely disproportionate to the scale of the 'ofense'.

andora
+5  A: 

Keep in mind that using SSL to send a card number from a browser to a server is like covering your credit card number with your thumb when you hand your card to a cashier in a restaurant: your thumb (SSL) prevents other customers in the restaurant (the Net) from seeing the card, but once the card is in the hands of the cashier (a web server) the card is no longer protected by the SSL exchange, and the cashier could be doing anything with that card. Access to a saved card number can only be stopped by the security on the web server. Ie, most card thefts on the net aren't done during transmission, they're done by breaking through poor server security and stealing databases.

joe snyder
Which is where PCI DSS comes in. i.e. By not storing the full PAN on the server.
Martin Clarke