Credit Cards and database vs. shopping cart

[carol]

I have a potential client who owns a travel agency. He is currently booking cruises off his website using some service that collects the credit card information (along with all other pertinent data) which then emails the information to him. He then sends it along to Carnival to complete the booking. [I have no idea how the current service sends it to him, or how he sends it to Carnival.]

He wants me to eliminate the service by writing the information to a database, off which he can then generate an Excel spreadsheet. I don't want to create this from scratch because I don't want the credit card liability for storing numbers online, but this isn't a straight-forward shopping cart problem because he isn't running the credit cards - he's just passing them through (at least that's what I think he's doing).

I'm figuring someone has come across this before and can give me some advice as to how to approach this! Or maybe I just have a mental block and there is a simple answer here! Thanks in advance for your help ~ carol

[crankydave]

Most of your carts have a functionality where that data is collected on site, stored, and can be downloaded. They don't all "force you" to use real time processing. Many allow for manual processing. ShopSite for example.

The biggest problem comes in with actually storing the sensitive information, even if it's for a very short period of time.

As for me, I wouldn't touch it with a 10 foot pole. Too much risk involved in storing the information. If "he" can see and download the info, so can anyone else who could gain access to it.

Dave

[carol]

Thanks for your input Dave. Do you mean you wouldn't even use ShopSite? Or you wouldn't create your own database?

I've already decided I will not be putting anything together myself, from the liability viewpoint! But I was wondering if there were other industries or smaller (than Expedia or Travelocity) type travel niche sites that were doing something similar, and if this could be done with a hosted cart.

I appreciate your comments! ~ Carol

[wige]

If your client is an affiliate/reseller/etc of Carnival, where their site only collects the transaction information before passing it on to Carnival who will process and complete the transaction, I would check with Carnival to find out if they offer a web service (a secured Ajax interface that financial data can be sent through) that you could use. In this scenario, the user would fill out the order form on your web site, then when they submit the data, your site would store the customer's contact information and order details locally, and forward the financial and contact details to Carnival through the web service.

I have set up a system like this on one of my own sites, where because of the nature of product that is being sold we need to verify inventory status before processing the transaction and thus could not use a traditional payment gateway, so we use a web service over https to transmit the financial information to a service provider before completing the sale. No financial data is ever stored on our own server.

Please note, if any financial data will be "touching" your web site - this means that the data is sent to your server, even if it is not stored there - there is a very high standard of security that you have to meet. For example, the credit card number must be heavily encrypted, the entire server must be scanned for vulnerabilities regularly, and it is a federal crime to store CVC codes on the same server as the credit card number. Failure to meet the standards could result in losing your ability to process credit cards, and could result in prosecution. Your payment provider should be able to give you information on the security precautions you need to meet. That provider may also be able to offer you additional suggestions to handle this situation if Carnival does not have a secure web service available.

[carol]

Wow, those are good points. Thank you Wige, I will have to look into what kind of service the cruise line could provide. I had not thought about the "touching" point - with a hosted solution such as ShopSite, this responsibility would belong to the hosting company, correct? But if I am providing the solution, then it's mine? ~ Carol

[crankydave]

ShopSite gives you the option of storing the data with 2 different "choices" of encrytion, as well as the ability to not store the data and use real time processing. Actually, I'm rebuilding a site using ShopSite right now.

I don't know about the legalities BUT if you are the one providing the solution you are going to have to meet the rigid standards that are in place whereas a good hosted solution should have the neccessary standards in place to begin with.

Dave

[dimareli]

Is your client in a shared hosting?
if the answer is yes i dont recommend to write credit card details on the database even you will use SSL encryption.

What you can do is to tell him to write all form details on the database and on the checkeout process tell teh clients to download a credit card authorization form for filling it with the credit card details and faxing him.

this is very safe to do, or if he want to charge the card online have a look around on the regional banks if some one offer online payments with redirection method so the bank will collect this details

[carol]

So then it looks like ShopSite would be a hosted solution that I could use. I've been looking at ShopSite for a different client - a brick-and-mortar sporting goods store that wants to sell online as well - and I was impressed by what they offer.

Not sure the travel people would want to pay the monthly fees, but when you're handling credit card data, the security issues are too severe for me to even think of taking that responsibility!

Thanks again for your help ~ Carol

[carol]

Thanks for your thoughts Dimareli. The fax option with the credit card information is a thought, although I think he wants to offer his clients a 1-step data input. But he's not the one who will be charging the card, the cruise line is. ~ Carol

[dimareli]

I think will be difficult to use a shopping card software for a travel agent, because products are a little bit different and they need other details than a simple product. check it, maybe a customized script will be better

[advancedmerchant]

Before you even consider storing credit card information read the PCI-DSS (Payment Card Industry Data Security Standard) document at (https (//www) .pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf (get rid of the parenthesis, and concatenate).

If you DO store info, it must be encrypted, and the storage site must be certified, and there are dozens of rules to follow, (requirement 10 is almost IMPOSSIBLE for a small company).

If this fellow IS breached, and Visa/MC find out, the fines can start at $50K (Yes, Fifty THOUSAND DOLLARS) PLUS $50 PER CARD NUMBER "comprimised". A "Comprise" on a database of 10000 cards means that if someone steals 10 card numbers from that database, all 10000 are "comprimised". Facing such huge fines, guess who he will try to sue..... you? You bet your bippy.

Be afraid, be very afraid. We do this stuff for a living, and WE do not keep customer card numbers on any computer in our facility, we store them on our gateway's servers, so THEY have to pay for the $25K Security Audits.

WIGE had a better idea. Find out who the CC Processor is, and send the transaction directly to them in real time, using Carnival's Merchant ID Number. Most gateways allow a "reference" or "user" field that would allow Carnival to determine what CC#'s came from him.

[carol]

Thanks AdvancedMerchant - I'm already afraid! Which is why I stated from the beginning that I don't want to store CC#s. So here is my next question - could I use a hosted shopping cart like ShopSite to send the transaction directly to the cruise line, or would I have to write my own custom script? ~ Carol

[thai_guy]

Quote:

Originally Posted by carol

I have a potential client who owns a travel agency. He is currently booking cruises off his website using some service that collects the credit card information (along with all other pertinent data) which then emails the information to him. He then sends it along to Carnival to complete the booking. [I have no idea how the current service sends it to him, or how he sends it to Carnival.]

I wouldn't touch this quote unless I knew a whole lot more about the current service and how he sends payments to Carnival.

It sounds to me like this guy is trying to avoid the need to pay gateway fees that are cutting into his commission. Shopsite (which requires merchant account and payment gateway) or any other payment processing service will not achieve this objective.

In my view there are 2 options:
1. Send customer information to a client database so he can forward this detail on to Carnival (as he has asked). This may be a non-starter for you but he will find someone to give him this ability. As a travel agent he is surely a little cavalier about collecting credit card information (many travel agents will use email, phone, fax and not relate to your alarm about server security).

2. Develop a script that will use his website to collect customer data and bounce directly to Carnival for processing. You would need to understand about Carnivals secured data portal and whether they are capable or prepared to work on some method for recognizing an ID tag so they can assign commission. If they don't have an online affiliate program (I can only assume not or we wouldn't be having this thread) then this solution may not be possible.

Shopsite as a touching point, sounds interesting but I think too many planets need to align for this idea to work. Also, I don't think Shopsite would shoulder any responsibility for financial information unless it was being passed straight through a payment gateway (and there are those fees again). Also there is still the huge unknown about Carnivals data portal and affiliate-like capabilities.

I may be reading something incorrectly but IMHO you should just let this one go. Let someone set up a semi-secure database for the guy, there are thousands of them across the travel industry.

Good Luck

[carol]

Thanks for your input thai_guy - interesting point of view regarding the travel industry! I definitely have to get back to him and find out how much he is willing to spend. I've decided that I am not going to create the database, the security issues are way too frightening. ~ Carol

[wige]

Well, the original post got me thinking about how Carnival's systems would work as far as handling affiliates. It looks like there are two parts. There is a component that acts like a web-based Point Of Sale, where the booking agent can log in and process booking transactions. This is most likely what your client is used to using. Your client lists typical prices and offerings on the site, then when a lead is generated, the agent collects the transaction information and makes the sale through the Carnival's agent system (called bookCCL) manually. However, there is a second option.

Carnival Cruise Lines offers a web service that allows a web site to gather information about currently available bookings directly from their database, most likely in an XML format that can be programatically edited and incorporated into an agent's web site. This allows the site to show "live" availability information. Generally speaking, when a web service is offered to display inventory, another service is provided to process transactions. As far as the customer knows, they are dealing directly with the agent's site. However, in the background, the site is acting as a proxy, sending the purchase form directly to the cruise line for processing. Although the credit card information passes through your server, it is not stored there.

Bear in mind once again, even though this method does not involve storing credit card data, that data does pass through the server, and you would still need to meet the requirements of the PCI DSS standard.

By the way, Carnival Cruise Lines calls their web service eLink (so creative) and absolutely no useful information about the capabilities of this system can be found on their internal broker site (bookccl.com) without having an account, so you would probably need to call them (1-800-845-2599) to get the API for the system.

[carol]

Wige,
You guys are great! Thanks for all your input and help. I really appreciate it.
Carol

[crankydave]

Quote:

Originally Posted by thai_guy

It sounds to me like this guy is trying to avoid the need to pay gateway fees that are cutting into his commission. Shopsite (which requires merchant account and payment gateway) or any other payment processing service will not achieve this objective.

Actually, no it's not. If transactions are being processed offline, in this case by someone else, then a merchant account and gateway is not needed.

Dave

[Tech Manager]

Quote:

Originally Posted by wige

If your client is an affiliate/reseller/etc of Carnival, where their site only collects the transaction information before passing it on to Carnival who will process and complete the transaction, I would check with Carnival to find out if they offer a web service (a secured Ajax interface that financial data can be sent through) that you could use. In this scenario, the user would fill out the order form on your web site, then when they submit the data, your site would store the customer's contact information and order details locally, and forward the financial and contact details to Carnival through the web service.

I have set up a system like this on one of my own sites, where because of the nature of product that is being sold we need to verify inventory status before processing the transaction and thus could not use a traditional payment gateway, so we use a web service over https to transmit the financial information to a service provider before completing the sale. No financial data is ever stored on our own server.

Please note, if any financial data will be "touching" your web site - this means that the data is sent to your server, even if it is not stored there - there is a very high standard of security that you have to meet. For example, the credit card number must be heavily encrypted, the entire server must be scanned for vulnerabilities regularly, and it is a federal crime to store CVC codes on the same server as the credit card number. Failure to meet the standards could result in losing your ability to process credit cards, and could result in prosecution. Your payment provider should be able to give you information on the security precautions you need to meet. That provider may also be able to offer you additional suggestions to handle this situation if Carnival does not have a secure web service available.

Excellent post Wige. Webmasters, designers and developers need to be more aware of both the security risks and liabilities of the financial data they collect.

I recently turned away a potential client who was collecting credit card data and storing it on a non-protected text file on his server. The only change he wanted made was to have all the data emailed to him so he could run it through his business POS credit card machine. Not something I am willing to do. He refused to listen or recognize the risk, so I sent him elsewhere.

[wige]

Hm, doesn't Visa offer a reward for turning in sites that are so improperly secured?

Just a thought...

[Tech Manager]

Quote:

Originally Posted by wige

Hm, doesn't Visa offer a reward for turning in sites that are so improperly secured?

Just a thought...

Wasn't enough to pay for my new car, but it helped.