I don't understand this: I see thousands of web sites which use, accept and process charge cards, e-cash... and they have been doing this not "just starting", but for several years. I would think they process the charges no differently online than they do off line, and with the same limitations and lattitudes. And though I don't know of an "endorsed" software package, I also don't know of the apparent need for one. If you do, then explain it to me. Are these issues so badly misunderstood globally? And by the way, I can't help feeling that you didn't tell the credit card client all of this stuff... am i wrong?

No... I didn't tell him... he didn't seem to want to listen to it.

You're suggesting that credit card transactions on the web are illegal?

People are doing it... only a few with the permission of the major CC companies. But MC and Visa appear to want a monopoly on it. My inside sources say they want a "chip" or other hardware lock that goes into the computer. And the CC companies' requirement for an endorsed software package is exactly for that reason... MC and Visa say you must use theirs... and anyone who pays for others will be violating the merchant's agreement. Do you wanna build your software around an unendorsed package?

More background... when I got my merchant account I told em exactly what I would be doing... though they didn't understand ( we were the first merchant account to apply for such a thing) we still got approved. It was only later that they understood... and came back to tell me I could not do it... of course, that didn't stop me... how can they tell where the transaction originated?

So, you're saying that charge card companies are turning away charge biz if they know the transactions originate on the web. Meanwhile, its still being done by merchants, by your account, on the sly. So the merchants process credit card payments from web biz, but they don't tell the CC companies about it. This means all those thousands of web sites with charge card payment options are veiling the web source of their charges to the credit card companies?

I think so... except for a couple of the big boys maybe... like MicroSquish... who have back room deals. I haven't talked with MC or Visa in about 6 months... but the last time I did, they said I couldn't use my merchant account for internet transactions. Soon, there will be an intergrated net commerce package where you must go through the bigboys... like MC and Visa. Until then its the wild west... its fun but don't get shot.

"Gettin shot" can mean alot of things. Is getting caught by the CC companies the big issue? Or is it transaction security? And what's with the secure and unsecure server CC transaction options on some of these pages?

My current postion is not to worry about secure/unsecure server CC options... because it is pretty irrelevent... I'm happilly taking all the CC transactions I can without a "secure" server option.

... when you just got finished trying to discourage a client from providing CC transaction capability on his web site? ... so did you tell the client that he is exposed to getting shut down by the CC companies?

I do worry that the CC companies will shut me down. And I didn't tell the client he is exposed to getting shut down because I didn't know if he is... maybe he has a special deal with the CC companies... what do I know?

I would have asked him that first thing when the topic of CC's came up. That way, you *would* know. And that's a good entre (no matter what his answer) to show yer stuff on the topic.

You're right... he just caught me off guard. Once again i learn da costly game of communications.

You, me, and about 6 billion others.

In any event, as much as you may not like hearing it... for now I'd have a human in the process.

I've learned a lot about over automating specific things too quickly on the net... it's usually costly... VERY costly. Its a lot cheaper to hire someone at $8/hour in most cases... or a third party company.

I'll say it again: nobody, repeat, nobody said eliminate humans from the process. But there's alot of ground between none and a cast of thousands, and between no transactions and thousands of illicit transactions. Besides which, from what you've said, you can't do full CC automation without CC companies approval anyway. The point is, what is the right blend of humans, machines and process to get the optimum result?

The core issues for things like this are (1) can we get clients on a credit card system? (2) are we breaking any laws by doing so? (3) if we're not breaking any laws, then can we give clients a relatively cogent explanation of the security risks? (4) what security measures are available, and (5) which of the security measures do we recommend?

Before we go further, let me say that we've never had a cc transaction stolen, but I have lost thousands through hackers.

I don't see the connection between the two... are your CC transactions hacked? Just "viewed" without any intervention? What are you saying? The first priority seems to be to establish what the client wants, then establish, based on your experience, additional issues which are important to supplement their security mechanisms for hack-protection, etc.

These two issues don't appear to be clearly defined in much of *anybody's* mind. In the case of the CC client above, their security vulnerabilities would be as much informational as transactional. Unless i'm badly mistaken (not), I think some of *their* potential micro-technology clients are more concerned with informational exposures of secure data bases, rather than whether CC transactions would be at risk.

From that implicit initial starting point, then, suddenly everybody's talking about CC transaction security and marketing.

This is raising some interesting points about how clients view web-security concerns... including how they see security matters in prioritized form... or lack of prioritized form, as the case may be.

Agreed. And I told the CC client that. But he was focused on cc transactions.

I need to get a sense of what you consider the boundaries of over- and under- automating. So far we're just talking in kinda ephemeral terms.

Well, its hard to say... we had a newspaper who wanted us to fully automate uploads and webpage conversion... but if we would have done so, it would have ended up shuttin' us down... there was a corruption at their end... and if we would of automatically shipped the corrupt files, it would have killed us. Same is true with cc... someone hacks in... sets up to themself to get the auto uploads and wa-la... auto theft...hehehe... gives new meaning to car-jackin'... and so on. The right mix has a human making sure things go smooth and sales are maximized... just like forms... lots of ISP's have automated forms... we have some... but without a human watchin' over, we would lose lots of money.

Can we get clients on a credit card system?

Ah... what kind of system? One without a human... we could do it, but as I said, I wouldn't recommend it.

... in other words, "yes", and you are on one yourself, but you don't want to put others on one. Next, then (2) are we breaking any laws by doing so?

FirstData said we would be... they're the guys that move all the MC and Visa data through the electronic pipe.

Okay... through the back door, then... (4) what security measures are available/which of the security measures do we recommend?

Not any good ones for the transaction itself... but after the order is transmitted to the ISP, we recommend strong security... firewall... a separate or throwdown machine not connected to the net which sends the transaction to the CC company.