[thelist] Re: Shopping Sites, Credit Cards

Kathy Long kathy at site-etc.com
Sun Jun 30 16:21:01 CDT 2002

I appreciate your post and it is something I will look into further now
because it seems to contradict my personal experience with the B of A
gateway.  We recently tried to retrieve the cc number of one of our
customers and were told, "Sorry. We don't store those numbers." A client of
ours tried to do the same thing with Authorize-net and was met with the same
response. If the tech support people he and I both talked to were
uninformed, at least it should be noted that IF those cc numbers are stored
and available to me as the merchant holder, they are NOT easily accessible
from my control panel anywhere that I could find.  So, at least they are not
just a few clicks and a password away. You've got me curious and I'll double
check on this tomorrow, but it looks like we might be able to put the
"doesn't matter who I am..." message on our site as well.

I'm curious. What gateways do you know of that do that? Perhaps they are
ones that I should not recommend.

Here's a little story about PayPal that I'd like to add. My client uses
PayPal for her eBay auctions. A buyer purchased a digital camera from her.
She delivered and he even posted positive feedback on her behalf. He then
notified his credit card company that it was an unauthorized purchase. They,
in turn, charged it back to PayPal who turned around then and hit her
account for the money plus the charge-back fee! She now is faced with going
to small claims court to get her money and/or her camera back.  Besides the
positive feedback, she also has the man's signature on the UPS delivery
form, so quite obviously this man is a crook. I didn't realize it was so
easy for people to get out of their credit card charges! Or is it just
easier when PayPal is involved? I don't know and am making no judgements
here, but would like to hear what others have to say.

In addition, I was the one who posted the story about my first attempt to
purchase at my client's site using PayPal. Do you recall that story? It was
a nightmare because of their member login requirement and ended up with me
giving up. What good is a secure payment processing system if your buyers
give up trying? I don't recommend anyone using PayPal unless they sell
one-of-a-kind items which are the only kinds of products that may keep the
buyers from high-tailing it over to Amazon where it is a lot easier to shop.
Boy, I'd sure like to hear what Jared Spool would say about this. Is he on
this list?

End of rant too. :->

Thanks for your comments,

> From: thelist-request at lists.evolt.org
> Reply-To: thelist at lists.evolt.org
> Date: Sun, 30 Jun 2002 12:03:37 -0500 (CDT)
> To: thelist at lists.evolt.org
> Subject: thelist digest, Vol 1 #2434 - 30 msgs
> Message: 15
> Date: Sat, 29 Jun 2002 17:07:59 -0600
> To: thelist at lists.evolt.org
> From: Keith <cache at dowebscentral.com>
> Subject: Re: [thelist] Re: Shopping Sites, Credit Cards
> Reply-To: thelist at lists.evolt.org
> --
> [ Picked text/plain from multipart/alternative ]
> At 11:28 AM Saturday 6/29/2002, Kathy wrote:
>> Am I missing something or do you all handle online payment processing
>> differently than we do? With our system, if our vendors use online cc
>> processing like Verisign, the credit card numbers get sent to the processor
>> and are not stored on site where anyone can see them - just as it is done at
>> Paypal.
> Partly true. Many processors, like the gateway offered by Verisign, pass
> the numbers directly from the browser to their server so your server does
> not handle them. However, that's not the only issue. As programmers,
> designers and webmasters we sometimes become too infatuated with our
> accomplishments and fail to see the bigger picture.
> In order to use a gateway like Verisign's you must have a bank issued
> merchant account. That account makes you the legal possessor of those
> credit card numbers, even while they are on Verisign's server. You are the
> merchant of record, Verisign (or any other processor) is merely a gateway
> contracted to you. As the merchant of record, Verisign (or any other
> gateway) cannot deny you access to those numbers, they belong to you, not
> them. Anyone in your organization who has administrative access to your
> merchant account or to your gateway account also has access to those
> numbers, for months (sometimes years) after the actual transaction. It is
> in this after-the-transaction period when most credit card theft takes
> place. The point is, if you process credit cards using your own merchant
> account, through Verisign, your own gateway, or any other schema, you have
> access to those numbers. Whether you actually access those numbers or not
> is immaterial, you are a few clicks and a password away from doing so. You
> cannot therefore state on your web site that your method is "theft proof",
> by design it is not.
> By comparison, in a PayPal transaction you are not the merchant of record,
> PayPal is the merchant of record. As such, you do not have any legal access
> to those numbers and PayPal is prohibited by their bank and by law from
> ever revealing those numbers to you. PayPal, the processing network, and
> PayPal's bank are the only parties that will ever get to see those credit
> card numbers. You can therefore claim on your web site that your method is
> "theft proof", by design it is. I say "by design" because it's always
> possible that commandos could storm PayPal or their bank and carry off the
> numbers. The point is, your web business is by design "theft proof" because
> you can never possess the numbers someone would want to steal.
> Many PayPal merchants do make this distinction on their web sites. I do,
> and when I did sales increased 200%. Purchasing on the web is a scary
> proposition for most folks because they have no clue who they are dealing
> with and they are giving a LOT more information than in an over-the-counter
> transaction. It's not just a matter of encryption and safe storage. Most
> consumers know that encryption works and assume that you'll have provided
> some safe storage. That's not what's on their minds. What's on their minds
> is "Who are you that I should be giving my credit card to you?" With PayPal
> you can legitimately answer, "It doesn't matter who I am, you're not giving
> your card to me." But if you are the merchant of record, they are giving it
> to you even if you are having someone like Verisign hold onto it until you
> want to see it.
> End of rant.
> <tip author="Keith" type="SSI">
> Here's an easy way to "embed" data into a SSI page from another server. It
> uses the Perl module LWP to create a UserAgent (browser) that retrieves the
> data from the other server.
> On the SSI page use
> <!--#include virtual="get.cgi" -->
> Then on get.cgi use
> #!/usr/bin/perl
> use LWP::Simple;
> $include = get("http://otherdServer.com/data.inc");
> print "Content-type: text/html\n\n";
> print "$include";
> You can even embed dynamic data from otherServer.com by passing a query
> string to a cgi
> <!--#include virtual="get.cgi?YHOO" -->
> #!/usr/bin/perl
> use LWP::Simple;
> $qs = $ENV{'QUERY_STRING'};
> $url = "http://otherdServer.com/current_quote.cgi?".$qs;
> $include = get("$url");
> print "Content-type: text/html\n\n";
> print "$include";
> Voila! you're in the distributed content business........
> </tip>
> Keith
> ====================
> cache at dowebscentral.com
> --
> --__--__--
> Message: 16
> Date: Sat, 29 Jun 2002 17:47:20 -0600
> To: thelist at lists.evolt.org
> From: Keith <cache at dowebscentral.com>
> Subject: Re: [thelist] CGI submission to print
> Reply-To: thelist at lists.evolt.org
> At 08:51 AM Saturday 6/29/2002, Jeff wrote:
>> Can someone help me get this script to print new submissions
>> to the index page?
>> http://www.sonvenezuela.com/tour/

More information about the thelist mailing list