|
Posted by Richard Lynch on 10/04/76 11:08
Richard Miller wrote:
> what
> are the best practices for a *small* site to accept credit cards? I
> have a couple of clients with small sites that would like to accept
> credit cards. Supposing PayPal is out of question (because it doesn't
> quite look as professional), what sort of payment gateways have you all
> used?
> Is it okay to use shared hosting with a payment gateway?
Yes, but...
I once tried to set up a site using CardService / LinkPoint some time ago
-- somewhere around 2002 or 2001, I guess.
After going around and around with them to get them to send me the PHP
interface instead of the Perl interface they initially sent (Grrrr!) which
took weeks and weeks on end...
Testing their PHP interface, I found that they were storing the credit
card info ON DISK temporarily in their processing algorithm.
IE, their PHP binary dumped the credit card info to a /tmp file, then
invoked a function that would read the info in that file and process it.
On a shared server, this meant that all the credit card info was
accessible to every other PHP user on the shared server!
What's worse, it would probably not be that hard to forge bogus charges
and run them through by another user running my PHP scripts and/or their
API.
I immediately reported this flaw to their security division, as their
documentation requested, and called the Sales Guy to register my complaint
with him.
I surmised that their binary file wasn't thread safe, which was why they
were doing all this -- to avoid two PHP/Apache children running their code
at once.
Meanwhile, I had gotten that monthly $25 fee invoice, and had called the
Sales Guy and said that I wasn't paying $25 until we actually had SECURE
transactions running, and asked him to switch me over to "testing" status.
I had hoped to get up and running fast by starting off in "real" mode, but
hadn't counted on them selling me insecure software!
He said he'd do it, and to not worry about the $25 fee, which would only
kick in once it went back to "live".
I continued to get the montly invoice *BUT* the balance owed was always
just $25 -- the current fee, and it didn't build up, so I figured it was
just a really weird billing system. (Actually, it *was* a really weird
billing system in other regards too)
After going around and around with the Sales Guy -- who could only claim
"but it must be secure!" and getting zero response from their security
division, I just plain gave up and told my Sales Guy to cancel my account
and send me a refund if they couldn't get their act together.
My position was they sold me an insecure product.
I never got the refund.
Much worse, after a couple years, I got this letter from some Collections
agency!
Apparently, they had never switched me over to the testing mode, and their
Total Due on the bills was always $25, but they thought I owed them over a
thousand dollars!
Needless to say, I was *BACK* on the phone with Sales Guy, and eventually
brow-beat him into getting me in touch with Security Division, who
admitted that their earlier versions (up until Feb 2004) were not suitable
for deployment on a shared server. IE, the security flaw I had notified
them about within a day of testing was for real, and my Sales Guy was 100%
wrong.
Anyway, I eventually got them to reverse out the monthly fees from all
that time, and get Collections Agency off my back.
But I *NEVER* got them to refund the $495 for a useless Certificate :-(
I can only say that, even though they are now "secure" for a shared server
with PHP, I sure can't recommend CardService nor LinkPoint!
Maybe if they gave me back my $495 from the useless Certifcate, but,
frankly, the sheer amount of my time they wasted with their Sales Guy's
endless lies and sheer stupdity make me doubt that I'd ever recommend
them.
I guess my point is that you're doing the right thing to ask around, but
these guys came recommended from somebody I trusted -- only he wasn't on a
shared server, so simply wasn't in the same ball-game I was in.
Be sure that you specifically check for shared server support and
suitability, and you see it in their security documentation, not just some
Sales Guy saying "Yeah, sure, it must be okay."
To make this long story short, my personal recommendation from a single
data-point is:
Stay away from CardSevice and LinkPoint.
Others may disagree, of course. :-)
> One of
> my clients already has a physical card-swipe merchant account. Should
> I contact their bank to see what online options they offer?
I'll chime in with a definite YES on this one.
If nothing else, you'll have less process management on the back-end of
the sales, as all your credit card stuff will come in one report, from one
place, at one time, instead of having to reconcile two sets of credit card
reports.
Short term, it might seem like they're "more expensive" but when you
consider what all you'll have to go through on a day-to-day process for
the accounting of the sales, you may realize that the Total Cost of
Ownership for this is a better "deal" than saving a few bucks a month in
fees.
If they are *way* out of line, then maybe think about setting up a new
package deal for on-line and brick-and-mortar with somebody who will give
you a better deal on both.
PS I'm also interested in seeing responses to this, so please summarize
any off-list response.
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|