Why you shouldn't try to cut corners when it comes to customer information security

(this article was written as a response to an ongoing conversation on a local technology mailing list)

Questions regarding payment gateways and features such as automated recurring billing or authorization of credit cards with delayed funds transfer can and should be addressed by a method and service that is built specifically for handling these sorts of scenarios. In this case, a proper payment gateway service attached to a Card Not Present merchant account is simply the most secure and reasonable way to accomplish these requirements.

I'll use Authorize.net as my example. First, recurring billing is a feature that may be implemented for an additional $10.00 per month. It is referred to as "Automated Recurring Billing" or "ARB" for short. Secondly, there are various modes of credit card capture available. When you refer to a card being charged immediately, this is known as "Authorize and Capture". Technically, the funds are not even withdrawn until batch settlement occurs (as in the case of Authorize.net) which happens at the end of the day. That means that if the client needed to void the transaction and did so before batch settlement, they would avoid a costly chargeback (a chargeback is a (roughly) $30 processing fee to reverse transactions that have already "hit" the card, if you will). The end of the day is 4:00pm based on Mountain Standard Time for Authorize.net and will vary based on which Payment gateway service you use. That means you would have up until 6:00pm to reverse a transaction with no additional cost.

If you would prefer to not capture a card immediately, then the mode to use is simply "Authorize" and is a standard feature offered by providers such as Authorize.net. Then, once product fulfillment can be guaranteed, simply log into the merchant account and capture the payment.

Now, to address the third issue which actually does not seem to have been brought up directly - PCI - DSS standards. This is perhaps the most important reason to encourage your client to invest in a proper payment gateway service provider. In the wake major security breaches (think of the T.J. Maxx debacle where the billing information of millions of clients was stolen), The Payment Card Industry banded together to create a universal set of data security standards which would help to reduce the risk of credit card fraud and therefore reduce the cost of processing credit card transactions. By working with a reputable payment gateway service provider, you are ensuring that transactions are meeting these standards. You should look for a provider that is compliant with the latest pci data security standards.

Finally, you must ensure that your e-commerce system does not store a full credit card number. The gateway will do this for you if necessary (as is the case with Authorize-only style transactions) though they protect that information so that no one could log in and take a customer's payment information for their own fraudulent use. In fact, with these standards in place and when they are followed correctly by a compliant service provider, they are much more secure than using your card in a traditional way, where prying eyes can simply copy your credit information when you pay for something!

So, really, the answer to all these questions is quite clear - leave it to the professionals and encourage your client not to try and save a buck when it comes to payment security and features. The last thing they need is to have their card processing services revoked or lawsuits because they wanted to save a measly 40 or 50 bucks a month. Gateway providers have the functionality needed to run an online business, and they worry about the risks of transmitting storing and processing so you don't have to. When you look at the cost of these services, remember that they are taking the risk off your shoulders as much as they can, and that is a great value for the monthly cost.

For more information on PCI-DSS standards, follow this link: https://www.pcisecuritystandards.org/