Taking payment details from an online form on your website

[stevealmond]

Hello all,

I operate horse riding vacations in Spain. The majority of my clients come from the UK with the remainder coming from the States and then from the rest of Europe.

I currently have a system on my website through which my clients book their holiday. I would like to change this system to a more automated and professional system.

Currently a prospective client emails for availability. If we have availability they then have to go to my website and download a booking form that is a .doc file. The client then sends the completed form to me by post or email. When I have received the booking form I then telephone the client and take their debit/credit card details which I then charge using the POS terminal that I have here.

OK the current system works. However what I would like to have on my website is an online html form that the prospective client would complete once availability had been confirmed by email. This online form would include fields for the clients credit card details.

Obviously data of such a confidential nature should be passed from the client to my server over a secure connection. OK that's no problem, it's more or less set up.

The problem that I have is what happens to the data next. How do I get the html booking form downloaded from my server to my inbox securely. My server suggested PayPal but I have my own card processing machine which negates the need for PayPal, etc.

Have any of you guys set up something similar, and how did you do it.

Regards

Steve

[Corey Bryant]

You need a gateway. Depending on your customers, Paypal might not be a great choice. There are a few gateways in your area that offer both an API and their own sercure website. You might check out worldpay for starters and see what they can offer you.

Do you due diligence - see how much it is going to cost you monthly. Get all the fees from them.

[stevealmond]

Hi Corey,

Many thanks for the reply. PayPal is what I have used for the last two years. However this type of payment system doesn't work too well for my scenario. This is because the full payment for one of my holidays is over the unverified payment limit that PayPal has. Therefore my clients have to register and then verify their PayPal account before they can make a payment to me.

I needed to move on from the PayPal scenario and asked my bank to supply a terminal that I could process card details through. I now have this terminal, and I am looking for advise on how to add this facility to my website securly.

My bank may well supply the gateway that is needed, but that depends on how flexible they are, and whether they can supply the service that I want.

Has anybody else been in the scenario that they have been charging offline using a POS terminal and have added this facility to their website? How have you done this securely.

Regards

Steve

[Corey Bryant]

You have this terminal? Meaning a POS terminal? You need to be careful about storing CC numbers on your website. And displaying them (securely) as well. In the United States, there are eight states that state you cannot display the entire CC number on the website. This is going to become standard soon.

Check with your bank to see if it is OK to key in these transactions. Sometimes keying in transactions on a POS terminal can wreak havoc on the merchant account. An electronic payment gateway might be the best choice.

[stevealmond]

Hi Corey,

You have hit the nail right on the head.

Yes I do have a POS terminal on my desk here. I am authorized to take credit or debit card payments by telephone, internet or post. The machine is just as any you would find in a restaurant or store, etc, except that the system it connects to deals in foreign exchange. I live in Spain, i.e. the euro zone, but 80% of my client base is in the non euro zone, i.e. UK, America, etc. Hence the terminal that has been issued to me by my bank.

My original question was how could I pass the data entered into an online form securely to my email inbox. I raised this question because I had concerns about the security, and legality of my original idea. You have now also raised very important security and legality questions about my idea. I have no intention of storing credit or debit card numbers on my website, nor of displaying them on the site.

However I am still looking for a system on my site that passes booking and payment details to my pc that I have here at home. When the booking details have arrived they can then be checked, and when everything is found to be ok with the booking I can then enter the card details into the terminal.

My bank may well have the solution. They have a system that my website can connect to and pass payment details to my web account. These payments can then be processed immediately online or later offline, hopefully through my POS terminal.

However just in case that doesn't work out I would like to hear from anybody that has set up something similar, and how they did it.

Regards

Steve

[brian.mark]

If you can get set up with an online payment gateway of some sort, either through your bank or otherwise, you won't need the POS equiment you have. All of the payment entering, capturing, and reporting will be done online. POS is Point of Sale, not really compatable with online stuff. Payment gateways will allow you to do everything without you ever seeing the credit card number for your customer, making both them and you more secure in what you are doing.

As for not storing the credit card numbers on the server, technically any time it gets emailed to you it is stored on the server, since the email is a file on the server, even if it is just temporarily. Since email isn't normally retreived over SSL, that makes it very insecure, and a packet sniffer can easily read it as it goes by.

The best bet is to look for a gateway and just use the POS equipment as a paperweight. Since these will all be card-not-present transactions, the gateway may be better rates anyway, since it'll allow you to use the CID number as well as address verification. Just make sure you pass as much information to them as you can to get the best rates available.

Brian.

[stevealmond]

Hi Brian,

Excellent advise, and I have to admit defeat for my original idea of obtaining clients payment details into my inbox by email. The idea was a perfect solution for my business, but security and legality issues make the idea unworkable.

So where do I go from here. PayPal, Worldpay, etc, are not an option. This is because they are all online transactions, and only have a small payment limit. They are not workable options because of the following;

1) My business operates and obviously sells horse riding vacations. The minimum full payment for a weeks holiday is £545 (780€ or US$1,012). This is over the PayPal unverified payment limit. Therefore the client would have to open and then verify their account with PayPal before making the payment, which can take a number of days. I guess that other payment systems like WorldPay would have similar restrictions.

2) The transaction can not be completed online. This is because I need to check the clients booking details before they are charged. They could have booked flights incompatible with my collection times from the airport, or not have the required equestrian experience to join in on our tours. Problems like these with the booking could entail surcharges, or even a denial of the booking.

3) The POS terminal that I have charges 2.5% commision which is less than other payment options like PayPal.

Because of the above I need an online booking system that passes booking data to me and allows me to charge the client at a later date, i.e. offline. My bank could have the answer, as they state that they have an offline internet payment solution. Sounds ideal, but I am still investigating.

Obviously I am still interested in hearing from anybody that has had a similar problem, and has found a satisfactory internet solution.

Regards

Steve

[brian.mark]

Online payment systems normally will allow you to change the amount before capturing the funds, so you'd be fine with that. By having it captured that way, though, you don't get the card number. Keeps both ends secured.

Keep in mind, however, that you may get charged a second transaction fee (usually small) if you UP a charge. Lowering normally doesn't cost extra.

As for your POS terminal, that 2.5% rate is most likely only for card-present transactions, not manual keyed transactions. Card-present is considered the most secure, and thus has the lowest rate. Manual keyed usually has the highest, and anything online (unless the customer has a card swiper - very rare) is considered manual.

Also, you normally only run an authorization online, then capture the funds later, so cancelled bookings won't be processed.

Good luck!

Brian.