I have a client that wants to accept orders online, but to be processed manually. We want this form to calculate the taxes according to the province. This order form would be for custom signs, so we want to be able to put options for different sizes and options ( colors), sizes of lettering etc... We would also like clients to have the comfort of knowing their information (cc #) is being securely passed along. Could anyone recommend the best option for this kind of order form. Thank you in advance.
Order form - is just an HTML order form. You need to have an SSL cert and read about encrypting information in a database. You should read about CISP compliancy because storing that information - you need to be compliant, otherwise when a breach occurs, the merchant will be fined and possibly lose his merchant account. And then once the CC number is processed - it should be deleted. You need to read about what you can and cannot store. Do I recommend any of this - no. It is going to take a lot of time to process the card. If the card does not go through, the merchant is going to have to call the consumer. The merchant cannot email the consumer since chances are the consumer will not have a secure email to send his / her credit card number through. The consumer will have thought the transaction was completed, yet the merchant is calling saying that it was not.
I have to agree with Corey, this isn't a good idea in general. It is actually more difficult to securely process transactions manually on the internet than it is to use a payment gateway. The main problem is that you are going to have to store credit card information for the whole thing to work. You are definitely not allowed to email credit card numbers. Make sure to look into becoming PCI compliant, make sure that the data being stores in encrypted, and make sure that SSL is used between any transfer of sensitive information. It sounds like some sort of custom web application would be better in this situation. It would probably take some good programming, but would be more secure and much more automated.
Anyone know of the most simple way to acheive what i'm doing then? I am willing to purchase software etc.. even hire a programmer to make a custom application if need be. The only thing my client is worried about ( I explained to him what you guys just explained to me, but you had better details) is that the clients didn't want to sign up for any accounts or anything just come the site and input the order and done. He did not want any card processing or accept payment in any way online. Thanks for the info so far, and if anyone knows of some suggestions as to software to do this please feel free to give me some input... and thanks again you two!
Do the questionaire that creates the job locally and calculate a fee, then have them fax the info or then pass them to a gateway. I don't think it's a good idea to do this in house either for the personal info and CC info.
Why doesn't he want online processor? This is more secure in every way, form, fashion than what you decribed in the beginning. True, it usually takes longer to get an internet merchant account in Canada than a brick and mortar account, it would be worth it in the long run. Most carts will offer an offline payment process - but make sure that you do not store the CVV data. How is he going to be processing the credit card transaction if he does not want to sign up for a merchant account?
To be honest Bryant I don't know. He is very untechnical and when I try to explain things to him I can tell he gets overwhelmed easily and then goes back to his way. After all it is his business, so I told him I would see what I could find/do. I'm going to call him right now and have a chat with him and see what he wants to do about it. Thanks for all the replies though everyone, it's been helpfull.
If he is not that savvy with this, he should not even be considering processing this way honestly. If he accidentally makes a mistake - it could cost him. Visa and MasterCard are cracking down on merchants who violate their agreement. Plus if he does have a brick and mortar account, there is sometimes a field in there that says a percentage swiped and keyed. If he consistently goes over that percentage by keying in transactions, the merchant account provider could become suspicious. If they find out he is processing this way, they could terminate his account. I have seen one processor actually just raise the rates. A friend of mine actually was with one processor (paying 1.54%) for his swiped account. Since he never swiped any - keyed them all because the customers called him, the provider raised his rates to 3.79%. Needless to say, he called me to find out what he should do. Visa / MasterCard / the processor have a lot of rules and regulations and it is usually best to follow them.
Well I just talked to him and he didn't want to go fully e-commerce he says cuz his customers are in the stoneage and wouldn't sign up for an account to make an order cuz they wouldn't know how and he didn't want to scare them away with signing up for an account etc.. I mentioned that (it'll be repeat business, not all but most of the time) once they are set up the next order will be on the fly and smooth. He was still not to sure about the whole idea. He also said that his mercahnt account from moneris is designed to be punched in manually, but the nest real question would be how to receive the order securely.
He needs to look at his contract with the provider. He also needs to look to see if they downgrade the transaction if he does not key in the CVV2 / CVC2 / CID number (which is something you cannot store). Some providers on a swiped account might charge a mid-qualified rate on these keyed transactions without the CVV2 / CVC2 / CID because the transaction is being keyed, less of a chance the merchant has the credit card and less of a chance the merchant has verified the credit card. It might be designed but allowing is another question. He needs to read Welcome to the PCI Security Standards Council to see what he is basically getting himself into. Not being tech savvy - this is the worst thing he could really do.