Website In Need of Separate Merchant Account?

Question

I have a question about developing a website efficiently and legally.

I have been taking orders through the phone for the past few years and want to now take orders online through my website. I have heard that it is not ECI compliant to use the existing merchant account, but instead need a new internet merchant account.

From those that have had this kind of experience in web development, do I need to get a new, separate online merchant account (along with a payment gateway)? Or, can I just use my same merchant account that I have been using in the past?

If I do need a new internet merchant account, where is the document/proof that says this?

Thanks,

Steve

Answer 1

This is really going to vary depending on your current setup.

There's almost certainly no explicit law about this.

The documentation/proof is going to be in the contract you signed with your current service provider. You did keep a copy, right?

That said, if your current provider wants to charge you an unreasonable rate for this service, go find another. There may be a cheaper option offered by someone else.

What you DO need to understand is that you CANNOT accept customer card numbers online and then hand-enter them into your existing phone order system. This is undoubtedly against your TOS and would open you to very serious legal liability.

Any solution for online ordering MUST be structured in such a fashion that your system does not store the card number for any period of time. If you want to build a system that does store card numbers, be prepared to pay 6 figures a year in auditing and compliance fees alone.

Answer 2

I am assuming this is in reference to this thread?

As far as legality goes the laws vary from state-to-state so it will be difficult to give you advice. Even then most states don't have many laws governing this.

Your biggest issues will come from the the Payment Card Industry and your merchant account provider. It is against Visa and MasterCard guidelines to use a traditional retail merchant account for Internet orders. It is also against Visa and MasterCard rules to use non-ECI compliant means (e.g. a credit card terminal) to process Internet orders. All Internet orders must declare themselves for each and every transaction. Credit card terminals cannot do that.

Additionally, to accept online orders and then enter them into a credit card terminal will cause you to violate PCI rules that state that prevent you from storing CVV information. You also force yourself to enact full PCI compliance since you will be forced to store credit card information which is difficult to do and a royal pain the butt.

Using your non-swipe merchant account for Internet orders, even for the same business, could result in anything from a warning, to a large fine, to the merchant account being closed and the business being added to the Match File. Once you're on the Match File you are blacklisted and cannot get a true merchant account again.

Your best course of action is to call your merchant account provider and discuss this with them. They're the best people to speak to.

FYI, I worked in the industry for 6 years. I worked directly with the acquiring banks and both their underwriting and security teams. I know it's tempting to use the retail account but it's against the guidelines set forth by Visa and MasterCard and will only result in big problems down the road. Get the second account and use a payment gateway to process the payments. Doing anything else would be an necessary business risk.