This scenario just screams trouble to me.
Is it illegal to process a CC transaction via physical machine instead of an online processor?
I get asked at least once per month if I can build an e-commerce site that does not hook into a payment processor – ex Merchant account, Paypal, Google Checkout, etc.
The prospective clients would rather me code a system to send an email to the owners containing the credit card info rather than integrate an electronic solution.
I have never built such a system – it just seems to be begging for fraud and other issues. I did some further digging and this is what I found.
It’s Against the Rules!!!
Whenever I have a technically difficult question about rules, regulation, etc I go to my social network. Here’s what some industry experts I know said:
The PCI DSS (Payment Card Industry Data Security Standard) describes the requirements for safe and secure handling of credit card information. In short, no, you cannot send credit card information through email.
Martin Israelsen, Founder/CTO Web Reservation Systems
The card associations rules, and now their joint security council’s (PCI SSC) DSS compliance states that this type of transaction, where cardholder data like card PAN’s, security codes and or track 2 data appear in the open (not encrypted or masked or hashed), is strictly prohibited. It will do your clients well to read the current PCI DSS compliance document. There are certainly better ways to handle such transaction requirements and you should be commended for questioning the emailed card data method.
Subject to Hefty Fines!
It is not necessarily illegal, but if any of the card numbers are used for fraudulant purposes and it is discovered that the merchant uses emails, then the card companies will point the finger (even if your merchant was not directly involved) and be slapped with an extremely hefty fine. The cost of implementing a real PCI compliant approach will be small in comparison to these fines (+ any possible barring of future card acceptance).
Just remind your customers that the payment processors are more than happy to pass on their fraud related costs to merchants whenever they can – it therefore behooves any online merchant to take all the necessary steps to protect themselves.
Mark Lowe Chief Technology Officer, Strategic Advantage Technology Solutions
Ethics of Abrogated Payment Processing
Just because I can build something doesn’t mean I won’t. Such a system would be very easy to corrupt and steal from. Even if the merchant himself didn’t intend on stealing credit card information, it doesn’t mean that someone else in their supply chain wouldn’t. Every person who had access to the system would be a candidate for ID theft. I don’t want that on my conscience.
Is it about Manual Solutions or Avoiding Fees?
The biggest reason merchants want to take Credit Card information via the web and process them manually is so they don’t incurr the charge thatn an on-line processor charges them. I think Paypal charges about 3% on each transaction. Personally, I’d rather pay Paypal, Google Checkout, Amazon, or anyone else to protect the transaction for me, store financial data, and shuffle money around while taking all liability concerns. It’s safer for me and it’s safer for my clients.
If they don’t want to pay any processing fee, they will have to accept physical payments only. That means providing an address for people to send their money orders or checks. That’s about the only way they will avoid it, and they won’t get as much business as a result in the online world.
Marie Dolores
It is not an issue of legality, but rather card association rules that forbid card data to be stored in the open (non-encrypted, non-masked, and so on). The problem you have with the request from your client, is that they wish to use a POS (cardholder-present) type transaction to capture emailed card data onto. My main issue with this would be that though PGP encryption may solve the issue of secured email transport, the details of the POS transaction may require secure code to be captured, and whether encrypted or not, my understanding of PCI DSS is that this is entirely forbidden. Even if you PGP the email, you still have a record of card data sitting on two individuals PC’s and or server on which security codes are captured and stored. I may be wrong, but this really needs to be avoided, at least with security codes.
POS transactions were allowed as the associations accepted that telephone (MOTO) merchants have the ‘client’ or ‘customer’ or ‘cardholder’ on the other end of the phone. So your client’s wish to use the POS in this email attached way would to me contravene even the general card association rules as this is clearly not a standard MOTO or telephone merchant application.
Johan de Lange
