[thelist] storing user information and allowing them to"finishlater" and payment issues

Lauri lauri_lists at tharapita.com
Tue Dec 2 01:30:33 CST 2008


> are they paying for what they're registering for? not sure what 
> you're doing, so this is a guess, but if you're filling in 
> registration for a service or product, and payment information 
> will be required, why would you NOT put them on the same page? 
> other than technical reasons (which aren't the client's problem :)

Since we're speaking about credit cards, there is the matter of PCI DSS
(Payment Card Industry Data Security Standard) compliance. Check out
https://www.pcisecuritystandards.org/ for more and specifically these two
FAQ entries:
http://selfservice.talisma.com/display/2/kb/article.aspx?aid=5769 and
http://selfservice.talisma.com/display/2/kb/article.aspx?aid=5785 . 

Small merchants and even payment processors could previously pretty much do
whatever they wanted to do, but they're all on the list of being clamped
down on. There are many merchants and even a few payment service providers
who aren't yet PCI compliant, but most of them have been set a deadline
already. There are also a few who haven't had a reality check yet. New
merchants generally are required to comply with PCI right out of the gate
unless they use the redirect/indirect integration method where they redirect
to the payment provider for payment detail capture. 

PCI DSS itself is not hugely complicated, but it is expensive for small
merchants. It varies with the volumes you're processing, but generally
you'll need at least two sysops (for split encryption key knowledge), 4+
production boxes, segregation of duties in development and deployment and
code reviews. 



More information about the thelist mailing list