Hi group, Being new, this question has probably been beaten to death already, but I'd like some insight. I've been researching payment gateway companies and investigated Google's solution, as well as Authorize.net and keep finding the same clause in their legal that exempts them from any real liability should hackers breach their database. This puts the onus on the retailer for someone hacking into a service provider's system. I need a win-win company with comprehensive legal for legitimate consumer grocery sites. Thanks for any suggestions. borzhmere
If you are in the US and you have the option to use Authorize net, then thats the way to go, you wont find something better, and in regards to the liability, then it's almost the same for any company you will find.
Well Wal-Mart, McDonald's, Home Depot - they use the First Data Global Gateway. Costco uses Nova / Elavon for their gateway. Your legal department probably needs to read up on PCI DSS. For some other gateways in the United States check out most popular gateways. There will always be some liability on your part, but if you are PCI Compliant, it will help you some if there is a breach.
I'm a strong believer in the "there's nothing completely secure" idea. Even said, authnet and some of the other major payment gateways are some of the most secure systems ever made. If authnet's database got broken into, we could see a meltdown of the entire worldwide credit card system. Apart from that, authnet is still liable for the credit card numbers they are holding. If their database gets hacked, they're completely liable.
Thanks for all the great input. I will definitely look into First Data and Nova as possibilities. We're totally PCI compliant and understand that piece of it. Because of the recent Hannaford issues, we're probably more PCI-paranoid than many companies, creating microscopic legal analysis of any financial contracts into which we enter. We also understand there will be some liability. Unfortunately, if one reads Authorize.net's contract closely, you'll find that they severely limit their liability in case of system breach. One could argue that they're one of the most secure sites for handling cc transactions, but legal's job is to protect from the "what if's". If there are alternative companies out there, and apparently there are, then I'd like to understand what kind of legal they're bound under. Thanks again for everyone's insight. It's very helpful. Borzhmere
Well besides the other list, there is also the Quantum Gateway and Payflow. You also need to keep in mind that if you have a merchant account already, you can also contact the merchant account provider for a list of compatible gateways if you want to stay with that provider.
Thanks Corey. We are set up with a merchant account so I'll have to look into it from that avenue as well.
http://www.pcworld.com/article/158003/massive_theft_of_credit_card_numbers_reported.html Heartland just suffered a breach on par with what an authnet breach would look like. We'll definitely see how far the liability goes.
Yes, they are good but CDGCommerce is a merchant account provider (ISO / MSP for First National Bank of Omaha). They are compatible with a couple of gateways and they have their own gateway Quantum Gateway as I mentioned in this post. Sometimes changing merchant account providers can be very difficult - the accounting department needs to get used to another portal to use to check for deposits, holds, chargebacks, etc. Sometimes, though, it is worth it. In the industry though, a lot is not black and white. There are many shades of gray. If the legal department is holding you up on picking / implementing the gateway, you might suggest the attorneys place a call into Authorize.net / Cybersource legal department. This might help your legal department to understand some of the complexities. They might not choose Authorize.net / Cybersource in the end, but they will understand a bit more and then be able to look at the other compatible gateways.
Correct about changing merchant account providers. That's not going to happen. There actually has been discussion between legal and Authorize.net. I've not been able to get looped in on any feedback in that respect. Definitely appreciate all the responses. It's very helpful to me in getting my arms around this animal so we can all play nice in the sandbox. Did see that information about Heartland today. Corey - what's your take on potential fallout?
The card that we use primarily for eating out was actually compromised about six weeks ago. Even though they claim no merchant data was breached, it would be interesting to see what happens and what they claim was compromised. I remember hearing something about it last year sometime through the grapevine but did not pay too much attention. I imagine though this will probably have most of the other providers push the PCI DSS on the smaller merchants if they have not already.
It is also a (unfortunately) a perfect example of what I wrote about last month - even though you are PCI compliant, you can still be vulnerable to attacks (assuming they are PCI Compliant, if not the fines from the card associations could really put a strain on their funds