ShopSite Forums

[Nikolaus Gruchot]

Hello there,

with the deadline for the implementation of VISA and MasterCards PCI data
security nearing, I am looking into switching from manual cc processing with
our german PPS Provider (we have a software terminal where we simply punch
in the invoice number, the amount and the cc data for each order) to real
time cc processing.

I have the following questions concerning the day-by-day work with our
online orders:

- What happens if a customer orders several items, but also one item that is
out of stock and we do a partial shipping? Can the amount due be corrected
manually prior to the "capture" of the funds? Same applies if somebody
selects the wrong shipping option, orders the wrong item and we correct this
when processing the order or the customers calls right after placing the
order and adds another item to the order... Generally speaking: The amount
"authorized" is not equal to the amount to be "captured". How is that
handled?

- If the credit card data are masked when displayed online, how would a
refund work? A customer receives the parcel, does not like the item and
mails it back to us. In Germany there is a law that give the customers the
right to return an online purchase within 14 days of reception without
giving a reason for it. In this case we need to reimburse the amount
charged. How can we do this without asking the customer for his/her cc data
again? I do not want to call the customer every time that happens and I do
also not want the customers to write their cc data down and include it in
the return package (this is contra-indicative for the VISA / MasterCard PCI
rules.

- If I do see that a order is clearly fraud (Email address with french .fr
ending, IP from Marocco, stupid combination of expensive items and shipping
address in the Netherlands), how do I get this information to the cc fraud
department? With the manual printout of the complete order, I can fax the
entire thing easy to the fraud department of our current german PSP and have
the card blocked immediately.

- And finally: How does the fact that ShopSite allows the customer to save
his/her credit card data in the customer profile complies with the VISA /
MasterCard PCI rule that discourages the saving of cc data? Should'nt there
be a setting that allows to save payment information only if lets say a
security audit has been passed? Or is the encryption of the cc data is so
strong (key lenght 1024 or so?) that it cannot be broken, even if the server
is compromised and someone gets access to the files (Knock on wood that this
never ever happens)?

I know, lot of questions, but maybe someone has some answers.

Thank you and best regards,

Niko
Germany

[Nikolaus Gruchot]

?? Everybody out for Star Wars??

"Nikolaus Gruchot" <gruchot@watersafety.net> schrieb im Newsbeitrag
news:d6fpfp$boo$1@eval.shopsite.com...

Hello there,

with the deadline for the implementation of VISA and MasterCards PCI data
security nearing, I am looking into switching from manual cc processing
with our german PPS Provider (we have a software terminal where we simply
punch in the invoice number, the amount and the cc data for each order) to
real time cc processing.

I have the following questions concerning the day-by-day work with our
online orders:

- What happens if a customer orders several items, but also one item that
is out of stock and we do a partial shipping? Can the amount due be
corrected manually prior to the "capture" of the funds? Same applies if
somebody selects the wrong shipping option, orders the wrong item and we
correct this when processing the order or the customers calls right after
placing the order and adds another item to the order... Generally
speaking: The amount "authorized" is not equal to the amount to be
"captured". How is that handled?

- If the credit card data are masked when displayed online, how would a
refund work? A customer receives the parcel, does not like the item and
mails it back to us. In Germany there is a law that give the customers the
right to return an online purchase within 14 days of reception without
giving a reason for it. In this case we need to reimburse the amount
charged. How can we do this without asking the customer for his/her cc
data again? I do not want to call the customer every time that happens and
I do also not want the customers to write their cc data down and include
it in the return package (this is contra-indicative for the VISA /
MasterCard PCI rules.

- If I do see that a order is clearly fraud (Email address with french .fr
ending, IP from Marocco, stupid combination of expensive items and
shipping address in the Netherlands), how do I get this information to the
cc fraud department? With the manual printout of the complete order, I can
fax the entire thing easy to the fraud department of our current german
PSP and have the card blocked immediately.

- And finally: How does the fact that ShopSite allows the customer to save
his/her credit card data in the customer profile complies with the VISA /
MasterCard PCI rule that discourages the saving of cc data? Should'nt
there be a setting that allows to save payment information only if lets
say a security audit has been passed? Or is the encryption of the cc data
is so strong (key lenght 1024 or so?) that it cannot be broken, even if
the server is compromised and someone gets access to the files (Knock on
wood that this never ever happens)?

I know, lot of questions, but maybe someone has some answers.

Thank you and best regards,

Niko
Germany

[jim]

I'm headed to Star Wars in a couple of hours.

I haven't ever used a live Credit card gateway and our test ones don't
allow us to test complete transactions so I can't say with certainty
that this is how it works but I believe it is.

Once an order has been placed in ShopSite the payment gateway returns a
transaction code for the authorization which is displayed in the back
office. If the transaction was an authorization for funds then you can
bill the order from within ShopSite or go to the payment gateway's web
interface and using the transaction code bill the order, do a partial
bill or issue a credit. I don't believe you can increase the amount
over what was authorized. If the transaction was an automatic capture
of funds then you don't need to bill the order from within ShopSite but
you can still use the payment gateways interface to do refunds etc.
Since you have the transaction code you really don't need the credit
card number as the payment gateway has that information associated with
the transaction.

When using a realtime payment gateway the credit card and shopper info
is sent to the gateway. They will accept or reject the transaction
based on the status of the card being used. So they should know if the
card is being fraudulently used. (Checking address, phone etc. entered
against what the bank has for the card).

Jim

Nikolaus Gruchot wrote:

?? Everybody out for Star Wars??

"Nikolaus Gruchot" <gruchot@watersafety.net> schrieb im Newsbeitrag
news:d6fpfp$boo$1@eval.shopsite.com...

Hello there,

with the deadline for the implementation of VISA and MasterCards PCI data
security nearing, I am looking into switching from manual cc processing
with our german PPS Provider (we have a software terminal where we simply
punch in the invoice number, the amount and the cc data for each order) to
real time cc processing.

I have the following questions concerning the day-by-day work with our
online orders:

- What happens if a customer orders several items, but also one item that
is out of stock and we do a partial shipping? Can the amount due be
corrected manually prior to the "capture" of the funds? Same applies if
somebody selects the wrong shipping option, orders the wrong item and we
correct this when processing the order or the customers calls right after
placing the order and adds another item to the order... Generally
speaking: The amount "authorized" is not equal to the amount to be
"captured". How is that handled?

- If the credit card data are masked when displayed online, how would a
refund work? A customer receives the parcel, does not like the item and
mails it back to us. In Germany there is a law that give the customers the
right to return an online purchase within 14 days of reception without
giving a reason for it. In this case we need to reimburse the amount
charged. How can we do this without asking the customer for his/her cc
data again? I do not want to call the customer every time that happens and
I do also not want the customers to write their cc data down and include
it in the return package (this is contra-indicative for the VISA /
MasterCard PCI rules.

- If I do see that a order is clearly fraud (Email address with french .fr
ending, IP from Marocco, stupid combination of expensive items and
shipping address in the Netherlands), how do I get this information to the
cc fraud department? With the manual printout of the complete order, I can
fax the entire thing easy to the fraud department of our current german
PSP and have the card blocked immediately.

- And finally: How does the fact that ShopSite allows the customer to save
his/her credit card data in the customer profile complies with the VISA /
MasterCard PCI rule that discourages the saving of cc data? Should'nt
there be a setting that allows to save payment information only if lets
say a security audit has been passed? Or is the encryption of the cc data
is so strong (key lenght 1024 or so?) that it cannot be broken, even if
the server is compromised and someone gets access to the files (Knock on
wood that this never ever happens)?

I know, lot of questions, but maybe someone has some answers.

Thank you and best regards,

Niko
Germany

[Nikolaus Gruchot]

Hello Jim,

thanx. That helped to get a first grip on the subject. Hope you enjoy Star
Wars. We are currently to busy to think about a day off for cinema. Hope
that I can see it on the big screen before the DVD is out

Regards,

Niko

"jim" <jstavast@xmission.com> schrieb im Newsbeitrag
news:d6m998$fen$1@eval.shopsite.com...

I'm headed to Star Wars in a couple of hours.

I haven't ever used a live Credit card gateway and our test ones don't
allow us to test complete transactions so I can't say with certainty that
this is how it works but I believe it is.

Once an order has been placed in ShopSite the payment gateway returns a
transaction code for the authorization which is displayed in the back
office. If the transaction was an authorization for funds then you can
bill the order from within ShopSite or go to the payment gateway's web
interface and using the transaction code bill the order, do a partial
bill or issue a credit. I don't believe you can increase the amount over
what was authorized. If the transaction was an automatic capture of funds
then you don't need to bill the order from within ShopSite but you can
still use the payment gateways interface to do refunds etc. Since you have
the transaction code you really don't need the credit card number as the
payment gateway has that information associated with the transaction.

When using a realtime payment gateway the credit card and shopper info is
sent to the gateway. They will accept or reject the transaction based on
the status of the card being used. So they should know if the card is
being fraudulently used. (Checking address, phone etc. entered against
what the bank has for the card).

Jim

[Chris]

So how is the CC data stored in Shopsite? Both in the backoffice and for the
customer registration feature? Is it secured in keeping with Visa's new security
requirements?

Chris

MLCS

www.mlcswoodworking.com

jim wrote:

I'm headed to Star Wars in a couple of hours.

I haven't ever used a live Credit card gateway and our test ones don't
allow us to test complete transactions so I can't say with certainty
that this is how it works but I believe it is.

Once an order has been placed in ShopSite the payment gateway returns a
transaction code for the authorization which is displayed in the back
office. If the transaction was an authorization for funds then you can
bill the order from within ShopSite or go to the payment gateway's web
interface and using the transaction code bill the order, do a partial
bill or issue a credit. I don't believe you can increase the amount
over what was authorized. If the transaction was an automatic capture
of funds then you don't need to bill the order from within ShopSite but
you can still use the payment gateways interface to do refunds etc.
Since you have the transaction code you really don't need the credit
card number as the payment gateway has that information associated with
the transaction.

When using a realtime payment gateway the credit card and shopper info
is sent to the gateway. They will accept or reject the transaction
based on the status of the card being used. So they should know if the
card is being fraudulently used. (Checking address, phone etc. entered
against what the bank has for the card).

Jim

Nikolaus Gruchot wrote:
?? Everybody out for Star Wars??

"Nikolaus Gruchot" <gruchot@watersafety.net> schrieb im Newsbeitrag
news:d6fpfp$boo$1@eval.shopsite.com...

Hello there,

with the deadline for the implementation of VISA and MasterCards PCI data
security nearing, I am looking into switching from manual cc processing
with our german PPS Provider (we have a software terminal where we simply
punch in the invoice number, the amount and the cc data for each order) to
real time cc processing.

I have the following questions concerning the day-by-day work with our
online orders:

- What happens if a customer orders several items, but also one item that
is out of stock and we do a partial shipping? Can the amount due be
corrected manually prior to the "capture" of the funds? Same applies if
somebody selects the wrong shipping option, orders the wrong item and we
correct this when processing the order or the customers calls right after
placing the order and adds another item to the order... Generally
speaking: The amount "authorized" is not equal to the amount to be
"captured". How is that handled?

- If the credit card data are masked when displayed online, how would a
refund work? A customer receives the parcel, does not like the item and
mails it back to us. In Germany there is a law that give the customers the
right to return an online purchase within 14 days of reception without
giving a reason for it. In this case we need to reimburse the amount
charged. How can we do this without asking the customer for his/her cc
data again? I do not want to call the customer every time that happens and
I do also not want the customers to write their cc data down and include
it in the return package (this is contra-indicative for the VISA /
MasterCard PCI rules.

- If I do see that a order is clearly fraud (Email address with french .fr
ending, IP from Marocco, stupid combination of expensive items and
shipping address in the Netherlands), how do I get this information to the
cc fraud department? With the manual printout of the complete order, I can
fax the entire thing easy to the fraud department of our current german
PSP and have the card blocked immediately.

- And finally: How does the fact that ShopSite allows the customer to save
his/her credit card data in the customer profile complies with the VISA /
MasterCard PCI rule that discourages the saving of cc data? Should'nt
there be a setting that allows to save payment information only if lets
say a security audit has been passed? Or is the encryption of the cc data
is so strong (key lenght 1024 or so?) that it cannot be broken, even if
the server is compromised and someone gets access to the files (Knock on
wood that this never ever happens)?

I know, lot of questions, but maybe someone has some answers.

Thank you and best regards,

Niko
Germany