Announcement

**Duncan Rounding** · 20-Apr-2006, 12:13 PM

Beware - if you use your computer to make purchases online as if you were the customer then you will be considered to be making fraudulent transactions and at the least your PSP account will probably be suspended. Your PSP will see the same IP address being used for different card payments. If you wish to process cc details yourself you will need an account that allows you to process offline or/and an account that offers a virtual terminal.

**Mike Hughes** · 20-Apr-2006, 12:53 PM

I've done this with no problems for the last three years or so. Duncan, are you speaking from experience, knowledge or just a feeling that this is the wrong way to do it?

Mike

**Duncan Rounding** · 20-Apr-2006, 01:10 PM

No it hasn't happened to me but I did read and dig around some time ago. At that time I found that unless I could get express permission to so or had a virtual terminal (or card holder not present account) I was not allowed to enter customer details as if I was the customer. I'll have a dig around again. perhaps others have experience with this that could comment also.

**jont** · 20-Apr-2006, 01:34 PM

Entering cards that way without the customers approval (let alone the banks authorisation) would contravene the storage of data rules and regs ... if the site was comprimised in any way you would be up to your neck in it. A Duncan points out you are also not authorised to make a transaction using that card - you are in effect buying items using someone else card - how can you prove to the police you are not simply stealing money or obtaining goods using a stolen card? It is the same principle.

Most customers will phone an order through for a reason which may include not trusting the use of their card over the internet.

**Mike Hughes** · 20-Apr-2006, 01:55 PM

OK. Two points raised here:

1. Agree with Duncan's follow up. If you don't have a 'customer not present'/virtual terminal account then you can't take payments if the customer isn't present. This doesn't appear to be what's being discussed here though. The way I'm reading this, he has a customer not present/virtual terminal account but want's to enter the order via his website rather than use the virtual terminal. I do it this way because a) It's the only way on V6 and b) it saves entering the information twice.

2. Entering Via SSL on a website is exactly what you do with a virtual terminal. The fact that you enter the order on your website and then pass to the PSPs and enter the CC data there rather than going straight to your PSPs virtual terminal is neither here nor there and a complete red herring (to put it politely).

Jont I'm kinda surprised at you.

Mike

**Duncan Rounding** · 20-Apr-2006, 02:05 PM

You are correct Mike - in this case I think PeterM has an account to enter offline payments - I misread his post.

Regarding your second point however, although you are absolutely correct in principle regarding the SSL security, I doubt the PSPs would agree - hence a virtual terminal type account where it is expected that multiple different payments will be processed through a single IP or user. Apart from an opportunity to recoup yet more money from the merchant it does allow a better control for the PSP - even though if fradulent the merchant is still liable.

**jont** · 20-Apr-2006, 02:16 PM

Originally posted by olderscot

and enter the CC data there rather than going straight to your PSPs virtual terminal is neither here nor there and a complete red herring

Jont I'm kinda surprised at you.

You know what b******ds the banks are - without digging out the 102 pages of small print I wager you are not allowed to process customer cards in this way

That being said they seem to turn a blind-eye to a lot of things if they are taking your money and only seem to get narky when the customer complains to them directly.

GARR to Banks

**Mike Hughes** · 20-Apr-2006, 02:30 PM

without digging out the 102 pages of small print I wager you are not allowed to process customer cards in this way

Possibly true, although I'd be surprised if they actually thought about doing it this way as it is really just a case of the same thing as virtual terminal only slightly different. They do tend to dislike anything 'slightly different' so I'll let you have that one.

The thing I really disagreed with was the suggestion that it would be breaking all kinds of data rules and regulations, using the card details without authorisation, and breaking customers trust by authorising the payment over the internet. None of which is the case.

Mike

**jont** · 20-Apr-2006, 02:56 PM

Originally posted by olderscot

I'll let you have that one.

Ta

Originally posted by olderscot

breaking customers trust by authorising the payment over the internet.

Probably just me being extra-cautious then .... I'll let you have that one

**PeterM** · 21-Apr-2006, 09:45 AM

Good replies.

Well i have read with interest the comments posted and i thanks you all for the feedback and help.

First of all i do have an agreement with the PSP regarding the issue of the same IP address sending orders through, i contacted them as soon as i saw the first warning come through. I explained what we are doing and asked what the best way to stop these warings coming up, they just said carry on and we will fix it this end, and they did.

Having said all this, no matter if we have a warning/caution or a clean as a whistle transaction from a phone order or an online order, if the card company want the money back then we loose everytime. I am sure you guys know it anyway . .. It's a bitch but we build it into the business model knowing that we will loose xxxx pounds in fraud/theft each year.

Back to the problem > > > > How not to keep the last transaction data in the browser?
Any ideas?

A great way would be to configure the Offline order system with an option to take the payment online..

We have this in a Quick Books accounting package . . . Which we no longer use . . Double work and all that ! !

Regards
Peter

**Duncan Rounding** · 21-Apr-2006, 09:52 AM

Sorry to take your post off topic earlier.
You probably thought of this but - I can only think of clearing the session cookie before entering your next order details - not ideal and maybe more work than changing the details but should work.

**PeterM** · 22-Apr-2006, 07:22 AM

Cookies

Yes we could do that each time, okay if it was me doing it each time but we have office staff taking orders so it's to risky for us to leave this task down to error.
Goods will be delivered to wrong addresses and so on ..

We might have to take the order off line, then take the payment through the terminal but i hate to create a situation where we have to type details twice.

Scratch head time again i think ! ! !

Maybe one of the Mole End plugin bits and bobs will do the job?

**Mike Hughes** · 22-Apr-2006, 08:44 AM

I remembered this morning about a way of creating a button that will clear the cookie for you. All your staff will have to do is click the button before entering a new order.

See here: http://community.actinic.com/showthread.php?t=10842

Mike

**PeterM** · 23-Apr-2006, 06:36 AM

Cookie fix

Hi,
Just the job, this works 99.9% of the time.
As long as it's not used in the cart itself or any other check out pages then it works fine.

Thanks for the answer.

Announcement

Phone order problems

Phone order problems

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment