[thelist] Specific Ecommerce Requirements

Peter Brunone (EasyListBox.com) peter at easylistbox.com
Wed Jun 28 13:24:04 CDT 2006



				> You can capture any amount less than or equal to whatever 
> you used in the AUTH phase and only the amount you 
> capture will be charged to the client's credit card. No
> need to store the credit card details at all, just store the
> transaction number. 

   Any idea how long that AUTH transaction is good?  

   I wonder how companies like Paypal keep those details around legally, and what safeguards they have to have in place...

Peter

				From: "Scott Wehrenberg" swehren at gmail.com

On 6/28/06, Hershel Robinson wrote:
> >> 1 No payment processing necessary--just to take the credit card number
> >> and alert the site admins that an order was placed--the reason being
> >> that the shipping and other details need to be calculated manually
> >> before the final price is arrived at.
> >
> > Why would you do this? Taking card info with no price set?
>
> Why? So that we can charge them when we calculate the price. The nature
> of this business is such that this will be acceptable to the customers.
>
> > How will you be storing the card info?
>
> We use an interesting tool called a database. It stores lots of
> information and one thing you could even store there would be a credit
> card number. :)

As others have already mentioned this is generally a bad idea. If you
absolutely must go this route please at the very minimum encrypt the
numbers with a key that is only stored offline, and be aware that you
are likely violating agreements you have with whoever is processing
your transactions.

For a better solution, look at the model gas station's use for pay at
the pump purchases. When you drive up and swipe your credit card, they
have no idea how much gas you're going to buy. So they immediately
reserve a block of credit credit on your card (usually around $75).
Then once you're done pumping they charge whatever amount you actually
purchased and release the hold on the remaining credit.

Here's a technical rundown of how I would apply this model to your
situation First, attempt to establish a reasonable maximum for the
unknown prices such as shipping and handling. Then using this this
maximum price immediately run an AUTH on the clien't credit card for
this amount. An AUTH doesn't actually charge the credit card for the
amount listed, it simply checks that the card is valid and that it
COULD pay for the amount you're asking for in the AUTH. At this point,
any worthwhile online processor such as Authorize.net will give you a
transaction number which you can use to refer to this transaction. So,
you no longer need the client's full credit card details and can
discard them. Later once you've calculated the actual cost of the
order, an employee can use the transaction number that the processor
provided you with to capture the funds. You can capture any amount
less than or equal to whatever you used in the AUTH phase and only the
amount you capture will be charged to the client's credit card. No
need to store the credit card details at all, just store the
transaction number.

HTH,
-- 
------------------------------------
Scott Wehrenberg
-- 

* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 





More information about the thelist mailing list