[thelist] Shopping Sites, Credit Cards and PayPal

[Kathy Long]

I have a client who has been using Paypal successfully at eBay. She is now
setting up a store and we are tying it into Paypal. I, of course, had to
test it to be sure it was working. Here's the email I sent her regarding my
first experience AS A BUYER at her site.

Chesna,
Here is my attempt to purchase from your site.

I hit the order button on your site.
It took me to Paypal where I was asked to login or create a new account.
I didn't remember what my login was so I attempted to create a new user.
Then it wouldn't accept my email address because it said I already had an
account.
So I did it again with a different address at my domain.
It said I was already a user. Guess it doesn't like more than one person at
my domain.
So I requested that it send me my password. By this time I don't know where
my order went.
I get my password email. It says to go to this link.
I click the link. I get an error saying the link is on 2 lines and I have to
copy and paste the link in.
I copy and paste the link in as it says.
I get the same error.
I give. I didn't want that vintage blouse that bad!

I wonder how many orders vendors lose because of this.


Kathy



> Message: 38
> Date: Sat, 29 Jun 2002 01:27:51 -0600
> To: thelist at lists.evolt.org
> From: Keith <cache at dowebscentral.com>
> Subject: Re: [thelist] Re: Shopping Sites, Credit Cards
> Reply-To: thelist at lists.evolt.org
>
> <quote> Carol
> send Paypal with their link-click. I love PayPal because I refuse to
> use any credit card, and they allow weird folks like me to link to a
> bank account instead of a credit card.
> </quote>
>
> I too love using PayPal when I'm purchasing, because I too use funds from
> my bank account instead of from my credit card.
>
> But, if you DO use a credit card, there is very important reason to use
> PayPal, a reason that few consumers are aware of. When paying with PayPal
> the "merchant site" NEVER gets to see the buyer's credit card info. Most
> online credit card theft happens when someone associated with the website
> (webmaster, host, employee, etc) steals the credit card info.  If you are a
> a PayPal merchant you do not have a "merchant account" and it would be
> illegal for PayPal to let you see that info.
>
> In fact, this kind of internal "employee" theft accounts for more than half
> of all credit card theft, offline and online. This kind of theft is
> epidemic in mail/order-telephone/order businesses and becoming more
> widespread on websales. The customer has no way of knowing how many people
> in your web business may have "legitimate" access to that data in your
> accounting and fulfillment functions, let alone "legitimate" access to it
> while it is safely parked on the server or more safely in the company
> customer service database. And any one of those people could be selling
> that info in your company's parking lot or down at the cyber-cafe.
>
> This internal company access control is the most overlooked part of "web
> sales security" discussions. And yet, this is where most of the theft
> actually takes place. If you store the credit card data, at all (on the
> server or elsewhere), you need to have a secure access control, complete
> with audit trails for each time the data is accessed. Even if you do pass
> the credit card info through to a third party processor you can still be
> open to internal theft. As the holder of a merchant account you will have
> access to that cardholder info even if you did not process the actual
> authorization. Just beware who has access to that info all the time that it
> is in your possession, and be prepared to prove it.
>
> But back to PayPal. This is something that really irks me about Peter
> Thiel's sophomoric concept of his company. He thinks that the anonymous
> nature of a PayPal transaction is valuable because it allows people in
> countries with weak economies to move money into strong economy countries.
> And yes, some countries indeed outlaw PayPal exactly on that basis. But,
> this Mickey Mouse money laundering is insignificant. What's important is
> that the buyer knows that joedink.com will NEVER get to see the credit card
> number, and joedink can say, "Hey, it didn't get stolen here, I never got
> to see it". PayPal should be making a big deal out of this anonymous
> feature and they are instead hung up on playing 2 bit global politics.
> Peter should take a look at the VISA S.E.T. protocols and the foundation
> behind MS Passport. The fundamental idea behind both (from the banking
> industry point of view) is that the "merchant" will not possess the card
> number, eliminating the opportunity for internal theft.
>
> <quote>Martin
> Sorry Carol, I'm not sure I buy that one until they obtain a banking
> license.
> </quote>
>
> PayPal does not have a "bank charter" because they do not engage in any
> banking activity. They do not qualify for a charter any more than evolt
> would qualify for a charter. Look at what it takes to qualify as a bank or
> a saving and loan in California where PayPal is located, people deposit
> money on the promise of interest and people borrow that same money with a
> promise to pay interest. Evolt doesn't do anything like that and neither
> does PayPal. There is not a single activity that PayPal engages in that
> qualifies as a "banking" activity.
>
> But that does not mean that PayPal is outside of the banking industry's
> oversight. They haven't crawled up some pole and tapped into somebody's
> telephone line to process $80 million in transactions per day.  In order to
> process all those credit card transactions PayPal has a "merchant account"
> through an acquiring bank. And just like any other "merchant account", the
> acquiring bank represents the cardholder's interest and would shut PayPal
> down in a heart-beat if the cardholder's interest is not protected. PayPal
> doesn't qualify as a bank, they qualify as a "merchant", and answer to
> their acquiring bank just like anyone else with a merchant account.
>
>
>
> Keith
> ====================
> cache at dowebscentral.com