No doubt that thoughtful security planning prevented the loss of credit card or financially sensitive information. However, it doesn’t really lessen the reality that the repercussions from the Zappos breach could be huge. Does data security go far enough if we accept that personal information is completely acceptable to be lost as long as financial information is not?

With the amount of personal information that was obtained in the Zappos breach, the thieves have a very lucrative marketing or hacking information package.

On the marketing side

Companies pay a lot of money for targeted marketing lists like the one that Zappos inadvertently provided. Let’s see, here’s a list of 24 million people that definitely buy things online, most likely shoes or clothing items, FIRE AWAY…

This information is a telemarketer or direct marketer’s dream, and they can target these known shoppers via phone, mail, and email.

On the hacking side

I can almost guarantee that Zappos customers are going to receive an onslaught of highly engineered spam, viruses, offers, and everything else to their emails. At the same time they are going to start getting physical spam, and scam offers, and probably are going to see telemarketing scams as well. There’s really no limit to how the information can be used for malicious purposes. Scam companies and hacking groups trying to install mallware and spyware are extremely efficient and proficient at developing well planned attacks on unsuspecting users. There are millions of computers called zombie computers because they are being used to send spam and other malicious activities without the knowledge of their owners. Expect some more.

As to the encrypted passwords. Websites typically use 1-way hashing mechanisms for password storage. This means that the password is encrypted, but cannot be decrypted by any reasonable means. The caveat to this is that if the hacker knows how the password was hashed, they can create a huge list of hashes and compare them to find the original. This is a very targeted attack, but with 24 million passwords it’s worth a lot of effort. They will begin finding real password very quickly if they discover the hashing mechanism. Since many users do not use unique passwords between websites, the direct loss from being able to log into user’s bank accounts, or other websites will be significant. I always recommend using a unique password with every site you log into, and use a password manager like roboform.

The reality

The reality of this situation is that Zappos is owned by Amazon.com. I can guarantee that Zappos has some stout security in place, and yet one of the largest, most tech oriented companies on earth, just had a data loss of 24 million records. This tells me that that standards we have in place for protecting data, especially non-sensitive data, are not enough. We should not just be protecting financially sensitive data, but all customer data. Sure there may be no direct cost in replacing bank cards, or obtaining new bank account numbers, stopping checks, or posting chargebacks, but the effect to the customer when you lose their data can be remarkable. We’ve yet to see the actual damages that this breach causes, but with the sheer amount of information out there, there could be substantial damages.

The API supports different logos for card issuers, paypal, google checkout and a few other. A developer can use the API to specify the size, background color and the order of the logos that they need on their website.

Update 08-2011 – Added ebillme and 2checkout.com logos.

Here’s a quick tutorial and a few examples of how to use the API.

1. Create an image tag with the root url: https://www.merchantequip.com/image/
2. Next add the bgcolor parameter to specify a 3 or 6 character HEX background color for your logo. If you do not know the background color: FFF is white, 000 is black. Here is a full HEX color chart. There are also a variety of browser addons if you need to match the exact colors of your website.
3. Next specify the actual logos that you would like to add to your site, in the order you would like to display them. Separate the logos with a pipe | character. Example: v|m|a|d for Visa then MasterCard followed by Amex and Discover.All of the available logo codes are:
   • v = Visa
   • m = MasterCard
   • d = Discover
   • a = Amex
   • g = Google Checkout
   • p = Paypal
   • bml = Bill Me Later
   • ec = eCheck
   • jcb = JCB
   • dc = Diners Club
   • s = Solo
   • me = Maestro
   • mb = Moneybookers
   • az = Amazon Payments
   • in = Interac
   • ebm = eBillme
   • 2co = 2checkout.com
4. Finally specify the height of the logos. The images currently come in 32px and 64px, so size accordingly allowing for a small margin around the images. We will be allowing for dynamic resizing in the future, but for now the only 2 sizes supported are 32px and 64px. Any additional height will be added as a margin.

The actual image url should look like (these are all generated through this exact API):

https://www.merchantequip.com/image/?bgcolor=FFFFFF&logos=v|m|a|d&height=32

The image HTML will look like:

<img src=”https://www.merchantequip.com/image/?bgcolor=FFFFFF&logos=v|m|a|d&height=32″ />

The logo above will display as:

Here’s the same logo using the larger image sizes:

Here’s all of the currently available logos:

While this tool is free to use we greatly appreciate a backlink or credit if you are using images that are hosted through the API. These images are all served securely over SSL, so they may be used on secure/SSL websites and ecommerce sites without errors.

If you have no idea of what an API is or just need logos for your website, please use the credit card logo generator and ignore this post.

Thanks again.

Here is 10 items that should be checked on every order before shipping. If you do nothing else for fraud screening at least cover these basic principals to help prevent some of the more obvious fraud.

If any of these are true, it’s a good idea to further review the order, or contact the person making the purchase before shipping.

1. Billing and Shipping Addresses Don’t Match
2. Requesting Overnight Shipping
3. Order is for Multiple Quantities of the Same Item
4. Items Being Ordered are Mainly of High Value
5. Order is for Uncommonly Purchased Items
6. Different but Related Products Being Ordered
7. AVS and/or CVV Verification Failed
8. Customer Made Several Unsuccessfully Attempts Before the Transaction was Approved
9. Customer’s phone number and/or email look unconventional
10. Order is Being Shipped to Africa, Asia, or Eastern Europe

1. Billing and Shipping Addresses Don’t Match

This should be the first sign of potential trouble. While not impossible, it is rare for fraudulent orders to be shipped and billed to the same address. Someone making a purchase fraudulently will often have the item shipped to a forwarding address or other location that they are not personally associated with.

It is common for shoppers to ship to their home or business address which may be different from their billing address. Nevertheless, it’s a good idea to at least take a look at orders that do not have matching shipping or billing addresses. If an order is being billed to Omar Patel in Houston, and being shipped to John Smith in Seattle, you may want to ask why…

2. Requesting Overnight Shipping

While it’s completely reasonable for a customer to want their order ASAP, expedited shipping is a very common trait of fraudulent orders. The thief needs to get the merchandise as quickly as possible before a chargeback is made. With slower shipping methods, the merchant has the opportunity to halt the shipment if they receive a chargeback, or identify the order as fraud, which would make nullify the efforts of the thief.

3. Order is for Multiple Quantities of the Same Item

Many times, fraudulent orders are made with the intention of reselling the merchandise on eBay, Craigslist or locally. Multiple items make an easier sale and easier money especially if the items are in high demand.

Depending on your industry you may often get orders for multiple items, so this rule applies much less to some industries. For us, we often get orders for 10 or more credit card terminals as many businesses have multiple locations. Over time, you should be able to better identify common ordering trends.

4. Items Being Ordered are Mainly of High Value

As with above, since many fraudulent orders are placed with the intention of reselling the merchandise, the most expensive merchandise often yields the greatest rewards. The merchandise can be quickly sold and the thief can makes a decent profit even when discounting 50% or more. The higher the value of the merchandise to you, the higher the value to someone trying to steal it.

If your average order is $200, you should definitely take a closer look when someone places an order for $10,000. Also, keep in mind that the larger the order, the more damage to your business if a fraudulent order is successfully placed.

5. Order is for Uncommonly Purchased Items

I’m not entirely clear on the reasoning behind this, but it’s not uncommon for fraudulent orders to be for items that are rarely purchased. Most likely it is due to careless research on the thieves part. If you sell thousands of orders per year and have never sold some particular item, I would be suspicious when someone comes along wanting it. There’s usually a reason why some products sell a lot and why others never sell. It’s not common for only 1 customer ever to be interested in an item that you offer.

New ecommerce sites will have a hard time with this rule, but once you establish some sales history and if you really know your products, it’s easy to spot and flag orders with uncommon items in them.

6. Different but Related Products Being Ordered

Let’s assume you sell LCD TV’s online. It’s very common for someone to come along and purchase a single TV. Maybe you have a sale and someone purchases several TV’s on sale, still a completely reasonable scenario.

Now, let’s say someone orders 5 TV’s, and every one is a different brand and size. This should immediately raise a red flag. Yes, it’s possible that someone wants 5 completely different TV’s, but purchasing products like this is not a common shopping or even human behavior and warrants further investigation.

7. AVS and/or CVV Verification Failed

While the majority of the largest ecommerce sites still do not require CVV, it’s a really good idea for you to. If your customers are US based, requiring a positive AVS zip code match is also a good idea. AVS verifies the address of the cardholder, and CVV verifies that the person placing the order has at least had the physical credit card in their possession. Even if  the card number was stolen, odds are the thief does not have the CVV number unless the entire card was stolen.  If the entire card was stolen, there’s a good chance that the owner would have canceled it already. CVV costs nothing, and I strongly recommend all merchants to at least require it to be submitted. Because the number can be worn off the card, I do not always recommend a positive match, but this is something you need to assess specifically for your business and your customers. When in doubt, require it!

8. Customer Made Several Unsuccessfully Attempts Before the Transaction was Approved

This works in conjunction with AVS and CVV verification. If someone is attempting to place orders using a stolen card, it’s common for several declines due to an incorrect address, expiration date, or CVV.  Keep a close eye on customers that submit multiple declined or AVS/CVV mismatch transactions. 1 or 2 errors may be common, but if you start seeing a group of attempts it may be a sure sign of fraud.

If you start seeing hundreds or even thousands of attempts it is almost certainly an entirely different type of fraud called carding. This type of fraud can be very costly to your business even if you never lose any merchandise, so it’s important that you promptly address and correct the situation that is allowing it.

9. Customer’s phone number, email and/or shipping information look unconventional

You wouldn’t believe how many times fraudulent orders use incorrect, fake, or just plain goofy email addresses, phone numbers, and ship-to information. If you get bounced receipt emails, see an email like fbi.gov, see phone numbers like 555-555-5555, or are shipping to Mickey Mouse, you should probably be concerned about the order being fraudulent. Additionally, if the phone number contains a country code, or incorrect area code, there’s a good chance that someone just typed the first digits they could into the phone number box.

Most business and personal land-line phone numbers can be researched just by entering them into a google search. At the very least you can figure out if the area code matches the billing or shipping address, and if the number is actually valid.

10. Order is Being Shipped to Africa, Asia, or Eastern Europe

I don’t want to discriminate against people in any particular country, but it’s a fact that a lot of fraud originates in a few select regions and countries of the world. Unless you have experience in international-commerce, it’s a good idea to only cater to your own country, or ones you know and trust very well. I wouldn’t even consider shipping a product to most African countries, East Asia, Eastern Europe and Russia. Also, some areas like Amsterdam are notorious for credit card fraud. Be very careful when accepting international orders.

Even if an order isn’t fraudulent, international orders can introduce a multitude of additional customs, credit card processing, and legal requirements, and can make processing returns very difficult. Something as simple as shipping from the US to Canada, can present a number of problems and costs that many website owners are not prepared to deal with. I strongly suggest doing a lot of research and finding someone who has real experience before venturing into international shipping.

Final words…

I can guarantee that every online merchant will face some form of credit card fraud. Credit card fraud is a minor inconvenience to some, and will end others’ online ventures. Not all merchants need to use some of the more advanced fraud screening methods out there, but everyone should cover the basics.

If a business decides they want to actually store credit card numbers, they are subjected to stricter PCI-DSS standards, and run a real risk of losing customer data just by the fact that they have it. Apart from PCI, it’s difficult to securely store credit card data as there is a multitude of technical aspects to doing it safely. If you lay it all out on paper, there is a huge amount of work, ongoing management, and liability in storing credit card numbers.

But, sometimes we still need to store credit card numbers, so how do we do it?

We simply let somebody else store it for us. If we outsource our credit card number storage to another party, we are no longer liable for that data. This is still your customer’s data, so your reputation is on the line, but not necessarily your wallet. What’s even better is that with some of today’s available services, outsourcing this can give us an easier method of re-billing our customer than if we could easily store credit cards.

Who can we store these with?

This is the easy part. Your payment gateway may have a customer storage mechanism, or customer vault. If it doesn’t, find one that does.

What this does is store your customer’s information and credit card number in the payment gateway’s secure database. If you need to charge your customer again, you simply reference their customer number and the amount you wish to charge. You can do this manually through the administrative virtual terminal of your payment gateway, or you can often do it directly through your website using an API. You can also setup recurring payments, refund, void, or credit via a customer’s stored card.

With a system like this, a developer can create a custom recurring billing system, or a user friendly “remember card” feature with your ecommerce site’s checkout system.

Which gateways support this?

The Network Merchants Gateway which we developed an integration module a few weeks ago, supports customer storage at a very low cost per month. Network Merchant’s customer storage is called the Customer Vault.

Authorize.net has a similar system called the Customer Information Manager.

There’s definitely a number of other gateways that have custom vault type systems as well. These can be integrated with a website, charged manually, or even integrated with a desktop application. A customer vault is a responsible way to outsource credit card number storage while still being able to use them.

This script integrates with the Network Merchants Direct Post API, and the Network Merchant customer vault API.

The Direct Post API allows processing credit cards and electronic checks. The Customer Vault allows merchants to store their customers credit card and check information in Network Merchant’s secure customer vault. The API allows charging customers stored in the vault without a merchant ever storing a credit card number.

View and download the class here »

Accepting credit cards on a website is absolutely necessary for the success of any online sales efforts. While there are several other available payment methods for websites, credit cards surpass every other one because of their wide use and convenience.

There are two types of companies that can enable a website to accept credit cards. The first is a 3rd party processor, and the second is a merchant service provider (called an MSP, or ISO). The primary differences between 3rd party processors and MSPs are the way a website integrates with their service, the liability that the website owner has over the transactions that they process, and the price that a they will pay for the ability to accept credit cards. 3rd party processors include companies like Paypal, Google Checkout, 2checkout.com, CCnow, Clickbank, and many more.

The difference between MSP’s and 3rd party processors:

MSP’s

• The business apply’s for a merchant account directly with a MSP.
• Business is personally liable for everything that they process.
• Customer’s credit card statements have the business name on them.
• Use with a Payment Gateway (Seamless integration available).
• Some fixed monthly fees in addition to processing costs.
• Possible setup fee.
• Possible long term contract requirement.

3rd Party Processors

• Business processes under the name of the 3rd party processor.
• Customer’s credit card statement has 3rd party processors name on it.
• Any dispute is made through the 3rd party processor and not the processing bank.
• Business and customer have limited protection from being ripped off.
• Must use 3rd party processors checkout system (Paypal has one exception).
• No fixed monthly fees.
• Some have setup fees.
• Most have high processing costs (Paypal and Google Checkout don’t).
• No contracts.
• Business is partially liable for the transactions that they process.

Which should a business use?

Assuming that you are based in the US, this depends mainly on how much business you do, the type of products you sell, how you want to integrate payments into your website, and whether you sell on eBay or not.

For businesses in the US, Paypal is pretty much going to be the lowest cost method of accepting payments that you will find. As much as I personally hate to admit it, it will be very hard to find a company that can beat the cost of paypal. However, paypal has many negative attributes which often make it a poor solution for serious ecommerce websites.

Personally, I think paypal makes an excellent supplementary payment method, as there is a fair number of online shoppers that prefer to use it.

• How much you business you do:Merchant accounts have fixed monthly fees associated with them. If you are only processing a few dollars a day, it is simply a waste of money to use a merchant account. 3rd party processors don’t have fixed monthly fees, and will be a more cost-effective solution for low volume businesses or an individual. If you do a lot of business, then a merchant account will give you better control over the funds that you process, and how your payment method integrates into your website. Many people consider the threshold of switching from a 3rd party processor to a MSP at about $1000 per month in processing. Personally, I would switch to a merchant account at about $500 per month, so that I could provider a cleaner experience for my customers. But either way, these aren’t huge volumes of processing before a merchant account may be warranted.
• The type of products you sell:Many product types are considered high risk. High risk refers to products or services that carry an increased risk of being charged back, or being obtained by or sold to fraudulent buyers. A few examples of high risk businesses include anything adult related, travel related, online pharmacy, and download-able products. Online in general is much higher risk than retail. On a personal note, I think that most online businesses will experience some sort of fraud in their online ventures. Neither 3rd party processors or MSP’s like providing services to high risk businesses. In these cases a business will have to contact everyone to find a company that can provide service to them. In some cases they may have to process through an offshore merchant account provider.
• How you want to integrate payments into your website: If you want a completely seamless system where your customer never leaves your website, then you are going to need a merchant account and a payment gateway. Payment gateways generally have two integration methods, but I only recommend using an API method of integration. 3rd party processors require your customers to fill out their information on a website owned by the 3rd party processor. A seamless integration method is considered by many to be fundamental in providing a smooth and efficient shopping experience. Paypal does provide a system called payments pro, which is a step in the seamless direction, but it is difficult to integrate into a website, and still creates some usability barriers. If you look on any major ecommerce website, you will find that they are all using a seamless integration with their payment processing method. 3rd party processors may be an alternative payment method, but they are rarely the primary method for a serious company.
• Do you sell on eBay? If you sell on eBay, you should accept Paypal. Paypal integrates seamlessly with the eBay checkout system, and the majority of eBay users expect to be able to use Paypal to complete their purchase. Merchant accounts are difficult to integrate with eBay and must always rely on multiple independent systems for them to work smoothly and automatically. Businesses that sell a lot on eBay will probably look into one of these checkout management systems at some point, but Paypal is the perfect solution for the majority of smaller eBay businesses.

Now that you have your processing method:

I am making the assumption that you already have a shopping cart in place on your website. This can either be a custom designed system, or can be a pre-made cart system like oscommerce, zen cart, and many of the other popular carts.

If you went the merchant account direction, you will also need a payment gateway. It is easiest to get a payment gateway from the same company you are getting a merchant account through. If you already know what payment gateway you want, make sure that the merchant account provider can set this up for you. If you don’t know what payment gateway you want, Authorize.net is always a safe bet. There are many payment gateways available, with the most common being Authorize.net, and Verisign. You will want to use a payment gateway that has an API (Application Programming Interface) method of integration. The API is what allows your website to transparently integrate with the payment gateway.

Requirements to process on your website:

1. A SSL (Secure Socket Layer) Certificate (needed if you use a payment gateway API).
2. A shopping cart system (This can be custom made or you can use ready made shopping cart software).
3. Integration of your payment gateway or 3rd party checkout system.
4. Merchant account providers also have a list of requirements to setup an ecommerce merchant account. I recommend making sure that as many as possible are met before applying for a merchant account.

Depending on whether you have a custom designed or a generic shopping cart system, it can be as easy as pressing a button, or as hard as writing a complex integration script, to integrate your website with the payment gateway. Most shopping carts that are widely used will have a module or plug-in to integrate with most of the popular payment gateways. Custom carts will need a custom payment module, which should be coded by the person who designed the cart or another competent programmer. Here is a guide on how to integrate Authorize.net with a website using php5. Also, if you are interested in purchasing a Authorize.net integration script, authnetscripts.com has scripts for PHP, ASP, PERL, and Cold Fusion. I have used their scripts myself and highly recommend them. The price of one of these scripts is far less than hiring a programmer to write one for you. Integration tutorials for most payment gateways are available in just about every programming language, but again these should be programmed by a professional. If you need to hire someone to do the integration for you, I recommend services like getafreelancer.com and rentacoder.com. Make sure to pick a service provider with positive feedback, and make price a secondary factor. Here is a brief guide on how to use freelance marketplaces.

If you do use a payment gateway, make sure you are not storing credit card numbers or other sensitive information unless you know exactly what you are doing, how to properly encrypt the data that is being stored, your server is PCI compliant, and your website does not have security vulnerabilities.

Once you’re integrated:

Once your website is integrated with your payment gateway or 3rd party processor, you are ready to start accepting payments. This whole process is not really as complicated as it seems, and should be takes in steps to prevent problems.

Quick Overview:

Merchant Account / Payment Gateway Flow -is the order of setting things up that I recommend for the least amount of potential problems.

1. Setup Website
2. Setup Merchant Account and Payment Gateway
3. Purchase and Install SSL Certificate
4. Integrate Website with Payment Gateway
5. Test Integration, and Run A Real Transaction
6. Go Live!

3rd Party Processor Integration – requires less structured planning, but some ordering will make a difference.

1. Setup 3rd Party Processor Account
2. Setup Website
3. Integrate Website with 3rd Party Processor
4. Test and Run A Real Transaction
5. Go Live!

For a better comparison of merchant account and 3rd party processors checkout the Merchant Account Comparison.

Hopefully this whole process goes smoothly for you. Once everything is complete, you can focus on the marketing and promotion of your ecommerce business. As always, feel free to contact me if you have a question, or you need some direction on what to do.

Best of luck to you…

Roughly 65% of all data security breaches occur at restaurants, the next largest group retail stores claim about 12%, and the remaining percentage is split between every other type of business out there including online. The simple truth is that with all the scrutiny over online businesses, card companies have failed to see the actual problem. It is retail businesses where employees and even customers often have direct access to sensitive data. Online businesses, even with poor security would require someone very knowledgeable in networking and computers to compromise their data. Any average Joe could obtain a credit card skimmer and use it at the restaurant where they work.

What this concludes is that somewhere along the line, card companies ignored where data breaches actually occur, and just decided to target all online businesses. Now everyone has to jump through hoops when for many there is absolutely no risk of a security breach because the information just isn’t there to steal.

Security is extremely important for all businesses, and protecting cardholders information is every business’s responsibility. Don’t store sensitive data if you don’t have to, and if you do, make absolutely sure you know how to encrypt and store it properly.

Also, if you use any custom made POS software system, you may want to check with the programmer that the system is not storing track data. If it is and you get caught, you can get up to a $100,000 per month fine until it is fixed. That is just a fine for storing the track data, not for an actual data breach which could be significantly higher.

Here’s a quick overview of the different methods of payment you can consider for your eBay auctions.

Paypal:
Paypal is by far the easiest and most tightly integrated method of accepting payments on eBay. Paypal is automatically tied into the eBay checkout system, and Paypal is widely used by buyers. There is however a percentage of buyers and sellers that have bad experiences with Paypal, and wont use it. For this reason it is always best to provide at least one supplemental payment method for selling on eBay. But, buyers normally want to use Paypal to pay for auctions and from a sellers perspective it is wise to accept Paypal, even if you have had a negative experience with them. As crazy as this may sound, Paypal auctions almost always sell for much higher than an auctions where Paypal is not accepted. Even an automated credit card acceptance system does not offer a suitable replacement for the wide use of Paypal.

Credit cards:
Credit cards can be tricky to accept on eBay auctions, but are the second most desired method of payment next to Paypal. Depending on how many products you sell, manually accepting orders over the phone from eBay sales can be the perfect solution or simple impossible. There are a variety of pre-made systems that can integrate eBay with your payment gateway and merchant account, but these systems often add unnecessary extra fees to the already high cut that eBay takes. If you run a successful online business, I recommend hiring a programmer to develop an eBay checkout system for your auctions through your existing payment gateway. This creates a much more usable system, and eBay orders can be better integrated with website orders for inventory, customer service, and tracking.

Personal checks:
In my opinion, personal checks are the worst method of payment for eBay auctions that work well enough to consider. Checks are slow, they must clear a bank account, they are prone to bouncing and being lost in the mail, and they create a very poor user experience. With the exception of a few rare occasions, checks are not a convenient, timely, or cost effective method of payments for eBay. The money you save by not using Paypal or accepting credit cards, is most definitely more than offset by the lack of bids you get on your auctions. Nearly every bad experience I have had on eBay was a result of having to send or received a check.

Money orders & cashiers checks:
Money orders and cashiers checks are safe and effective methods of getting paid on eBay. But, they are slow as they have to be mailed by the buyer and deposited into a bank account before the auction item can be shipped. They are best used with high dollar auctions where it is essential that the seller is protected from any buyer fraud or frivolous chargebacks and disputes, and time is not of the utmost importance. For high dollar items, I recommend getting an initial deposit via Paypal or credit card, and accepting the balance by cashiers check. I would consider a high dollar item anything of about $2000 and up.

Cash:
I would not even consider sending or requesting cash through the mail. If you sell locally and are comfortable with meeting your customers, than cash can be a great method of getting paid for your auctions. For most of us, cash is rarely if ever a viable option. For those that do meet their customers, I would highly recommend taking appropriate precautions to protect yourself. If you do not have a business address, I recommend meeting your customers in a public place, not at your residence. Most likely you will never have a problem with a buyer, but it’s simply not worth the risk to you or your family.

Western Union:
Western union is not an acceptable method of payment for eBay. It is commonly associated with fraud, and a very high chance of someone getting burned exists with western union. I do not recommend using western union for auction payments at all. eBay also warns against it. Just don’t do it.

Other 3rd party checkout systems:
There are several other common checkout systems that can be used for accepting payments on eBay. Personally, I find most of these systems to offer a poor experience for a customer, but they are still used often enough to mention. Andale, Bidpay, Vendio, and USAepay are some of the commonly used checkout systems for eBay auctions. These systems have a hosted checkout process for your auction winners. They also help manage your existing auctions, shipping, and have a variety or reporting tools that help you keep track of all of your eBay affairs. All of these services have fees associated with different levels of their services, but they can help sellers that have a large quantity of items to manage.

Using a payment method that your ‘buyers‘ want to use is vital to getting the most out of your eBay auctions. It is important to provide at least two options for payment from your customers, and make it as easy as possible for your customers to pay. One of the largest contributors to a low quantity of bids on auctions is not accepting the payment method that buyers want to use.

The guide is written for websites using PHP 5, Curl, and SSL to connect a website to authorize.net using the API method (Known as AIM with Authorize.net).

PHP 5 is required for this particular script. There are several PHP 5+ functions that will make the script completely incompatible with PHP 4. Unfortunately a good percentage of servers are still using PHP 4. Apart from that, it looks like this guide should be all that a developer needs to successfully integrate authorize.net into a shopping cart system.

I really like the feature where the script automatically retries a transaction 3 times if there is an error. This can be common with payment gateways, and it’s definitely not good to return an error or declined message if you absolutely don’t have to. The script also validates the card number using a simple version of the LUHN algorithm to verify the card number against a check-sum, in addition to performing basic card number and expiration date checks.

When it’s all said and done the script will return an approved, error or declined message for your customer’s transaction, and you can send them to whatever page or message on your website that you want.

This script is complete, but I don’t think that a new programmer should change anything they don’t understand, because they have the potential to open security holes if their programming gets broken. This is especially important since this script will transfer sensitive information across web servers.

There are a variety of free and paid scripts out there, but this one is written by a competent group of individuals that have extensive knowledge of payment processing, web development, and web security, so I highly recommend it.

Check it out:
Integrate the Authorize.net Payment Gateway with PHP

The yearly cost for a level 2, 3 or 4 merchant is around $150, while the yearly cost for a level 1 merchant is more than $30,000. Because of this, it is extremely important not to ever have a data compromise. I personally recommend not storing any sensitive data online, at all, and if it is stored offline, access should be highly restricted and the data should be encrypted. Track data should never be stored anywhere, under any circumstance.

If you have a data compromise and card holder data is stolen, you should expect upwards of $100,000 in fines, arbitration fees, and regulations in addition to the additional cost of level 1 PCI certification.

Related Posts:
Scan Alert PCI / CISP
A Guide to Small Business Security, Free PDF Download…
CISP, SDP, PCI Compliance required for every business…