[thelist] Re: Shopping Sites, Credit Cards

Keith cache at dowebscentral.com
Sat Jun 29 18:09:01 CDT 2002

[ Picked text/plain from multipart/alternative ]
At 11:28 AM Saturday 6/29/2002, Kathy wrote:
>Am I missing something or do you all handle online payment processing
>differently than we do? With our system, if our vendors use online cc
>processing like Verisign, the credit card numbers get sent to the processor
>and are not stored on site where anyone can see them - just as it is done at

Partly true. Many processors, like the gateway offered by Verisign, pass
the numbers directly from the browser to their server so your server does
not handle them. However, that's not the only issue. As programmers,
designers and webmasters we sometimes become too infatuated with our
accomplishments and fail to see the bigger picture.

In order to use a gateway like Verisign's you must have a bank issued
merchant account. That account makes you the legal possessor of those
credit card numbers, even while they are on Verisign's server. You are the
merchant of record, Verisign (or any other processor) is merely a gateway
contracted to you. As the merchant of record, Verisign (or any other
gateway) cannot deny you access to those numbers, they belong to you, not
them. Anyone in your organization who has administrative access to your
merchant account or to your gateway account also has access to those
numbers, for months (sometimes years) after the actual transaction. It is
in this after-the-transaction period when most credit card theft takes
place. The point is, if you process credit cards using your own merchant
account, through Verisign, your own gateway, or any other schema, you have
access to those numbers. Whether you actually access those numbers or not
is immaterial, you are a few clicks and a password away from doing so. You
cannot therefore state on your web site that your method is "theft proof",
by design it is not.

By comparison, in a PayPal transaction you are not the merchant of record,
PayPal is the merchant of record. As such, you do not have any legal access
to those numbers and PayPal is prohibited by their bank and by law from
ever revealing those numbers to you. PayPal, the processing network, and
PayPal's bank are the only parties that will ever get to see those credit
card numbers. You can therefore claim on your web site that your method is
"theft proof", by design it is. I say "by design" because it's always
possible that commandos could storm PayPal or their bank and carry off the
numbers. The point is, your web business is by design "theft proof" because
you can never possess the numbers someone would want to steal.

Many PayPal merchants do make this distinction on their web sites. I do,
and when I did sales increased 200%. Purchasing on the web is a scary
proposition for most folks because they have no clue who they are dealing
with and they are giving a LOT more information than in an over-the-counter
transaction. It's not just a matter of encryption and safe storage. Most
consumers know that encryption works and assume that you'll have provided
some safe storage. That's not what's on their minds. What's on their minds
is "Who are you that I should be giving my credit card to you?" With PayPal
you can legitimately answer, "It doesn't matter who I am, you're not giving
your card to me." But if you are the merchant of record, they are giving it
to you even if you are having someone like Verisign hold onto it until you
want to see it.

End of rant.

<tip author="Keith" type="SSI">
Here's an easy way to "embed" data into a SSI page from another server. It
uses the Perl module LWP to create a UserAgent (browser) that retrieves the
data from the other server.
On the SSI page use
<!--#include virtual="get.cgi" -->

Then on get.cgi use


use LWP::Simple;
$include = get("http://otherdServer.com/data.inc");
print "Content-type: text/html\n\n";
print "$include";

You can even embed dynamic data from otherServer.com by passing a query
string to a cgi
<!--#include virtual="get.cgi?YHOO" -->


use LWP::Simple;
$url = "http://otherdServer.com/current_quote.cgi?".$qs;
$include = get("$url");
print "Content-type: text/html\n\n";
print "$include";

Voila! you're in the distributed content business........

cache at dowebscentral.com

More information about the thelist mailing list