|
»
« Return to Thread: 7-8-09 need opinions / ideas on best way to design an online conference registration site
Re: 7-8-09 need opinions / ideas on best way to design an online conference registration site
by Steve Piercy
::
Rate this Message:
Does their merchant account charge them for an AUTH_ONLY transaction? I assume that the gateway and merchant account fees are less than $0.50 total for that type of transaction, whereas for a PRIOR_AUTH_CAPTURE then the percentage (qualified discount rate around 2-5% of the transaction amount) kicks in. Maybe I'm wrong and maybe it depends on the merchant account provider, but it would be worth verifying.
I would argue that it makes sense to place an AUTH_ONLY when the order is submitted for these reasons:
(1) The authorization holds the funds on that card immediately if available, else informs the customer of an error.
(2) Avoids storing PAN on systems that may be vulnerable to security breaches, so it limits the client's exposure to risk and liability.
(3) The AUTH_ONLY would be stored in a facility immediately so that the data could be recovered in the future in case of a disaster with the client's internal system.
Sometimes walking a client through scenarios of what would happen when PAN is stolen, or if their internal systems fail (hard drive failure and no RAID, no backup), is enough to sober them up and realize that hope is a lousy security policy.
--steve
On Wednesday, July 8, 2009, lasso@... (Tami Williams) pronounced:
>The thing is they don't want any kind of transaction done (not even
>Auth_Only) by an automated system of any kind. They don't want to
>pay for any transactions except the ones they manually do themselves.
>
>
>On Jul 8, 2009, at 6:13 PM, Steve Piercy - Web Site Builder wrote:
>
>> On Wednesday, July 8, 2009, lasso@... (Tami Williams)
>> pronounced:
>>
>>> - at "checkout" the member's credit card information needs to be
>>> captured but NOT submitted to the credit card processor (they do that
>>> manually in house and keep the cc info in electronic form until it
>>> has been manually processed - not changing this process)
>>
>> Just on this point, and if the client has an Authorize.net account,
>> you don't have to store the PAN on the client system. The A.net
>> gateway returns a response with a transaction ID which can be used
>> later for capturing authorized funds (usually within 30 days).
>> Just store the transaction ID in FM, then submit the transaction
>> again as a PRIOR_AUTH_CAPTURE.
>>
>> You could go even further with CIM instead of AIM, where you can
>> store customer profiles, credit card numbers and shipping profiles
>> on Authorize.net servers instead of the client's.
>>
>> --steve
>>
>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>> Steve Piercy Web Site Builder Soquel, CA
>> <web@...> <http://www.StevePiercy.com/>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
>
>--
>This list is a free service of LassoSoft: http://www.LassoSoft.com/
>Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy Web Site Builder Soquel, CA
<web@...> <http://www.StevePiercy.com/>
--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/
I would argue that it makes sense to place an AUTH_ONLY when the order is submitted for these reasons:
(1) The authorization holds the funds on that card immediately if available, else informs the customer of an error.
(2) Avoids storing PAN on systems that may be vulnerable to security breaches, so it limits the client's exposure to risk and liability.
(3) The AUTH_ONLY would be stored in a facility immediately so that the data could be recovered in the future in case of a disaster with the client's internal system.
Sometimes walking a client through scenarios of what would happen when PAN is stolen, or if their internal systems fail (hard drive failure and no RAID, no backup), is enough to sober them up and realize that hope is a lousy security policy.
--steve
On Wednesday, July 8, 2009, lasso@... (Tami Williams) pronounced:
>The thing is they don't want any kind of transaction done (not even
>Auth_Only) by an automated system of any kind. They don't want to
>pay for any transactions except the ones they manually do themselves.
>
>
>On Jul 8, 2009, at 6:13 PM, Steve Piercy - Web Site Builder wrote:
>
>> On Wednesday, July 8, 2009, lasso@... (Tami Williams)
>> pronounced:
>>
>>> - at "checkout" the member's credit card information needs to be
>>> captured but NOT submitted to the credit card processor (they do that
>>> manually in house and keep the cc info in electronic form until it
>>> has been manually processed - not changing this process)
>>
>> Just on this point, and if the client has an Authorize.net account,
>> you don't have to store the PAN on the client system. The A.net
>> gateway returns a response with a transaction ID which can be used
>> later for capturing authorized funds (usually within 30 days).
>> Just store the transaction ID in FM, then submit the transaction
>> again as a PRIOR_AUTH_CAPTURE.
>>
>> You could go even further with CIM instead of AIM, where you can
>> store customer profiles, credit card numbers and shipping profiles
>> on Authorize.net servers instead of the client's.
>>
>> --steve
>>
>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>> Steve Piercy Web Site Builder Soquel, CA
>> <web@...> <http://www.StevePiercy.com/>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
>
>--
>This list is a free service of LassoSoft: http://www.LassoSoft.com/
>Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy Web Site Builder Soquel, CA
<web@...> <http://www.StevePiercy.com/>
--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/
« Return to Thread: 7-8-09 need opinions / ideas on best way to design an online conference registration site
| Free embeddable forum powered by Nabble | Forum Help |
