[thelist] Credit card validation

Keith Davis cache at dowebs.com
Sun May 27 23:07:51 CDT 2001

"Charles F. Johnson" wrote:

> Actually, this is exactly the way it works right now. The order form is on a
> secure page, and transactions are stored on the server in a
> password-protected directory. The client accesses them through another SSL
> page, and then clears the file (by uploading a blank file with FTP) after
> saving the orders so that CC numbers are only stored on the server for a
> very short time. I created an Applescript that automates the process, to
> provide some insurance against screwups.

Interesting technique. I do not allow clients FTP so I do the cleanup
through the browser with the script. I first lock the data file,
read/overwrite it to a batch file, erase the data file and then unlock
it. They then work from the batch file while new orders can continue to
be written to the data file. That way no orders are lost if there is an
interruption between downloading and clearing the file.

> consultant (a Flexware employee), when a file is imported it somehow skips
> the initial CC verification step, and goes directly to preparing the orders
> for shipping. This kind of makes sense to me now, based on what you wrote
> (although it sounds like the DB consultant was a little unclear himself on
> the terminology):

Hmmmm. I'm not familiar with Flexware. But looking at their site, I'm
thinking they may not have been the best choice for this application. I
see no reference to being able to use the software for any credit card
processing. Heavy emphasis on accounting features but thin on workflow.
My guess is that this is probably excellent software for its niche, but
it appears to lack the frontend and backend of the process we need,
booking and capturing. There are excellent softwares that do the job
from front to back but that's water under the bridge. Even if Flexware
does a backend cc processing it maybe should not be used. MO/TO is a 2
stage process and auth codes for each transaction generated during the
book stage have to be used during the capture stage. 

And there are softwares that specialize in doing only the front and
backend and they can be highly automated to work with Flexware. We just
sandwich Flexware into the other. I really don't think you want to try
using an online live-time processing service here, simply because that
process will work off of files that cannot be shared with FLexware, a
lot of dual and possibly triple manual entry. AND, they will generate
live-time processing charges. If you instead use creditcard processing
software that resides on your Mac or Windows machine along side Flexware
they can share the same data, or at least easily merge the data. So,
what kind of software?

(Wow, last time I did that there were only 3 vendors!)

Now there's an easy to rememeber URL for ya!

Personally I like the design and flow of MacAuthorize/PCAuthorize, but
most should have the same ICVerify standardized features and flow. I
especially like the MacAuthorize/PCAuthorize import/export file feature
because you can input any delimiter/layout and output any

Save the transactions on the server and download them as a batch. In the
processing software configure the import feature to read the file with
the delimiter and record layout of the file. Import the file. The
software will connect via modem at about 2400 over regular telephone
lines with the credit card call center and book the entire batch,
isolating the failures. Then configure the export feature to generate a
file for Flexware using the delimiter and record layout it needs and
including only the successfully booked orders. Do what Flexware does.
Time passes. Ask Flexware's DB to generate a file of all orders shipped.
Import to the processing software, it connects with the call center and
captures/charges the orders. It's not auto-pilot but it has
power-steering. You'll have a real hard time gluing Flexware to a
live-time online process that fits that well. 

> So it seems what they're asking us to do *is* the "booking" step. And if I
> understand your points correctly, the "right way" for us to do this is to
> have the client open a second merchant account and use a service like
> authorize.net or Cybercash to authorize the charge. Hmm. Significant
> expense, and the online ordering system will have to be redesigned (again).

Only if they get a fetish about doing the processing in live-time. And
if they already have a MO/TO account they can use it, it will just be
hard to find a processor who will admit it. If ya go that route look at
BofA's offering. It is THE standard to measure others by, it's very well
designed and feature rich, and I don't believe they have to have a BofA
business account or BofA merchant account, though I could be wrong since
we had both when I set up our design company gateway there.

> What I love about this: the original spec for the project was just to write
> back-end code to put the orders into a Flexware import file. So I deliver
> this code, and they say "Oh, and there's one other little thing we'd like
> this to do..." :^|

RIGHT!!! I had a 7K job. A week before live time they "mention" this one
more little feature. A major software company sells what I had already
done, plus this one little feature, in a package for 80K! 

In all fairness to your client, they probably didn't realize that the
credit card processors cannot be reached directly via tcp/ip. They
probably thought it would be a matter of submitting a form to the
processor and getting a response. Hey, it sounds reasonable to me too! 
I alpha and beta tested Netscape's LivePayment years ago and
participated in VISA's SET protocols first public review. You wont
believe what goes on in that little black box when you swipe a credit
card - it's ugly in there and things get infinitely uglier when you let
it out of the box and onto the web. 

We've probably covered all the angles on this subject, from this
perspective at least, that the rest of the group wants to see. It's a
pleasure working with you, if you have anymore questions before that
Tuesday meeting, email me off list. If I haven't already, I know that
with just a little more work I get you totally confused....


More information about the thelist mailing list