In the online business world, it is very common to accept credit card payments for products and services. However, it is quite uncommon for site owners to know that there are numerous options available to them, let alone which one they should choose. If asked, the majority of future site owners believe that in order to accept a credit card, they must purchase an SSL certificate to encrypt communication, accept the credit card, then send it to their chosen payment processing company. Moreover, if the site needed to charge visitors at a later time (for example after a product has shipped) most business owners believe that they need to save the card number on their servers. This is definitely not the case and is strongly discouraged!

What it Really Means to Store Credit Card Information

Keeping credit card information on servers is not only expensive, but makes your servers a target for hackers. You will need a full IT team simply to ensure your system’s security is not compromised and your software follows the best security practices available today, tomorrow, and the next 5 years. In the undesired event someone is able to access your servers (external hackers or even current/past employees), you run the risk of your company’s name being tarnished and losing existing/future customers. Moreover, your company could be the recipient of a class-action lawsuit or heavily fined  as a result of the breach.

Historically, credit card breaches online have been far from few. As a result, there are accepted standards enforced by credit card companies and issuing banks – the most common one being the Payment Card Industry Data Security Standard, commonly referred to as PCI. The estimated average cost of full PCI compliance audits in 2010 was $225,000/year and continues to rise each year. This does not include additional employment, software, and hardware costs commonly required. Nor does the number include expenses required to resolve any issues discovered in the yearly audit.

Don’t Touch That Card!

The easiest, cheapest, and least stressful way to avoid issues related around credit cards is to never touch them. If your system is never aware of sensitive payment information, you don’t have to worry about the liability, audits, and costs associated with having sensitive credit card information.

Your system isn’t the application that is physically pulling money out of user’s accounts, but will talk to another system, called a payment processor, that will communicate with the bank that issued the card number to ultimately provide your business account with the appropriate funds. Applications that store credit card numbers still have to send them to the payment processing system in order to charge customers. Avoid the liability, audits, and headaches that result from having credit card data on file and have your customers provide their payment information directly to the payment processing system!

Although the details vary between different payment processors (and each processor may have more than one option), the overall process is generally the same. Below is one way your website can accept credit cards without touching the credit card number:Credit card processing diagram1

In the example above, the customer visits the payment page on your site, but sends the payment information directly to your payment processor. The payment processor validates the credit card, ensures your customer has enough funds or available credit, and provides your website with the appropriate receipt information. The user is then sent back to your site, so you can display the receipt information. As an additional bonus, from your customer’s perspective, they never left your site, allowing you to maintain complete control of your system’s purchasing experience.

Charging Customers at a Later Time

A lot of our clients prefer to charge their customers in the future, either one time (when their order ships) or multiple times (for automatically renewing subscriptions). Even in these situations, your website does not need to save nor touch credit card data. Similar to the last example, the customer can send the credit card information directly to the payment processor. However, instead of obtaining a receipt, the payment processor can provide your system with a unique, non-sensitive token that your system (and only your system) can use to charge the customer’s card later. It is important to mention that this token can only be used by your application and deposited into your merchant bank account. Thus, if someone else were to obtain this token, they will not be able to get rich at the expense of your customers and your company’s reputation.

Again, although the details vary between different payment processors (and each processor may have more than one option), the overall process is generally the same. Below is one way your website can charge customer cards in the future, without ever seeing the credit card number:

Credit card processing diagram2

In the example above, the customer visits a page to purchase a new subscription. They enter their credit card information, which is sent directly to the payment processor, which provides your website with a token that can be used to charge their card at a later date. The customer is redirected back to your website, which uses the token to charge them for the first subscription. When their subscription is about to expire, your website uses the token to charge them another subscription fee, automatically renewing their subscription.

How Amadeus Consulting Can Help

Amadeus Consulting has extensive experience in secure e-commerce solutions, are an Authorize.Net™ Certified Developer, and have extensive experience with other payment processors including PayPal PayFlow Pro,Verisign, and more. We can help you determine the best payment gateway for your e-commerce solution, so contact us if you need help!