CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ?

M.T. · 09-21-2009, 12:32 PM

Hi Warriors,

One of my customers websites i set up years ago captures customers credit card details and emails these to him so he can use his offline credit card terminal at the office, The site is secure https but the email is not encrypted.

I have advised him to go for a merchant account or payment gateway or use paypal.

Could someone tell me if they do this, or is this now illegal to do?

thanks

MT

ps: The charges here in the uk for merchant accounts are just a rip off!

JohnMcCabe · 09-21-2009, 12:58 PM

I'd ditch the open email. Although the likelihood of getting the details ripped off are fairly slim, it only takes one time to create a huge judgment against you, your customer or both of you.

One option would be to store the details on the secure server, then use a secure method to download them for processing. Here's one way to do it (not an affiliate link):

The Road

Not sure why the link reads like that. The name of the application is "Secure View and Remove".

fifthnormal · 09-21-2009, 01:11 PM

It's bad for two reasons:

1). It's absolutely a bad idea for security. You're just asking for the credit card data to be stolen. This breaks the credit card industry's security rules.
2.) It's against the credit card company rules. In essence, you are cheating them to get a lower rate by deceiving them into thinking the cards are processed on site rather than through the more risky internet.

Daniel

moneysoapbox · 09-21-2009, 01:13 PM

With this age of identity theft, I wouldn't do it. Say somebody hacked into his system and stole all those credit card numbers - he'd get shut down at the very very least.

Not to mention, this method is probably costing a lot of money, as most people don't like entering their credit card numbers anywhere anymore.

marciayudkin · 09-21-2009, 01:19 PM

This is absolutely against Visa, Mastercard and American Express rules, with big fines imposed if you are caught doing this. (Read your latest merchant account regulations for details.)

It also contains the seeds of ruin for your customer's business. If there's just one security incident, the business MUST notify all of its customers about the breach.

Imagine having to confess to your customers that you were sending their credit card details by email!

Last year, one of my colleagues had a laptop stolen that contained customer credit card info on it and had to notify everyone who had purchased from her of this. It made her look bad.

In fact, the credit card security requirements and fines have gotten so stringent that I made the decision never to store any customer credit card information (or Social Security Numbers) on my computer or in an unlocked file cabinet in my office for any reason at all.

IT'S JUST NOT WORTH IT.

Marcia Yudkin

M.T. · 09-21-2009, 01:39 PM

Hey,

Thanks Guys for Your Help And Advice.

Yes just as i thought it would be breaking visa,s terms and conditions.

When dealing with some clients it is hard to explain these things without it looking like you are trying to charge more money because they need a addon service.

MT

AmyBrown · 09-21-2009, 01:52 PM

I would think it would be harder to explain why it was setup like that in the first place. In any case, I'd document that you brought the security issue to their attention. Personally, if they refuse to change the process I wouldn't have anything further to do with the account.

M.T. · 09-22-2009, 06:28 PM

Hi Amy,

The website i host for my customer already had this shopping cart feature built into the software.

The good new is he now has agreed to go with a secondary authorization payment process.

The bad new is he cant use the same shopping cart..........

MT

HomeComputerGames · 09-22-2009, 06:30 PM

I believe there is a fine up to $20,000,000 in some circumstances. Read the fine print on the merchant agreement.

Might want to have a read:
https://www.pcisecuritystandards.org/
PCI FAQ

PS: If you are hosting for this person you can be held liable for some types of thefts.
In some U.S. States being PCI Compliant is law.

Richard Tunnah · 09-22-2009, 06:38 PM

If you're in the UK then they're probably going against data protection act which requires secure storage of customers private info including name, address, credit card details etc. You really don't want the UK government on your case.
Lastly I see no reason why anyone needs to do this. Most merchant providers now provide secure online order systems or there's loads of online merchant providers.

Rich

09-21-2009, 12:32 PM	#1
M.T. Coaching Newbies War Room Member Join Date: Aug 2009 Location: London Uk Posts: 36 Thanks: 5 Thanked 1 Time in 1 Post Social Networking	CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? Hi Warriors, One of my customers websites i set up years ago captures customers credit card details and emails these to him so he can use his offline credit card terminal at the office, The site is secure https but the email is not encrypted. I have advised him to go for a merchant account or payment gateway or use paypal. Could someone tell me if they do this, or is this now illegal to do? thanks MT ps: The charges here in the uk for merchant accounts are just a rip off!

09-21-2009, 12:58 PM	#2
JohnMcCabe Happy Hooker War Room Member Join Date: Jun 2007 Location: North of the Peace River, Southwest Florida, USA. Posts: 2,295 Thanks: 276 Thanked 458 Times in 297 Posts Social Networking	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? I'd ditch the open email. Although the likelihood of getting the details ripped off are fairly slim, it only takes one time to create a huge judgment against you, your customer or both of you. One option would be to store the details on the secure server, then use a secure method to download them for processing. Here's one way to do it (not an affiliate link): The Road Not sure why the link reads like that. The name of the application is "Secure View and Remove".
	[YOU], back by popular demand... Salad is not food. Salad is what food eats... -- The REAL PETA, People for Eating Tasty Animals "I did not fight my way to the top of the food chain to eat tofu!"

09-21-2009, 01:11 PM	#3
fifthnormal Warrior Member War Room Member Join Date: Jan 2009 Posts: 23 Thanks: 9 Thanked 0 Times in 0 Posts	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? It's bad for two reasons: 1). It's absolutely a bad idea for security. You're just asking for the credit card data to be stolen. This breaks the credit card industry's security rules. 2.) It's against the credit card company rules. In essence, you are cheating them to get a lower rate by deceiving them into thinking the cards are processed on site rather than through the more risky internet. Daniel
	Instantly reduce your bounce rate using ClickAndStick.com - Match search/referrers to relevant content and make them stick to your site!

09-21-2009, 01:13 PM	#4
moneysoapbox Black Sheep War Room Member Join Date: Feb 2009 Location: Austin, TX Posts: 368 Thanks: 135 Thanked 44 Times in 39 Posts Contact Info	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? With this age of identity theft, I wouldn't do it. Say somebody hacked into his system and stole all those credit card numbers - he'd get shut down at the very very least. Not to mention, this method is probably costing a lot of money, as most people don't like entering their credit card numbers anywhere anymore.
	- Emily - Warrior for Hire: Want a GOOD Article Written For You This Weekend? FIVE WARRIORS ONLY - WSO: Need a Low Price, High Quality eBook Written Just for You?

09-21-2009, 01:19 PM	#5
marciayudkin Marketing Mentor War Room Member Join Date: Feb 2008 Location: Western Massachusetts, USA. Posts: 420 Thanks: 22 Thanked 119 Times in 76 Posts Social Networking	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? This is absolutely against Visa, Mastercard and American Express rules, with big fines imposed if you are caught doing this. (Read your latest merchant account regulations for details.) It also contains the seeds of ruin for your customer's business. If there's just one security incident, the business MUST notify all of its customers about the breach. Imagine having to confess to your customers that you were sending their credit card details by email! Last year, one of my colleagues had a laptop stolen that contained customer credit card info on it and had to notify everyone who had purchased from her of this. It made her look bad. In fact, the credit card security requirements and fines have gotten so stringent that I made the decision never to store any customer credit card information (or Social Security Numbers) on my computer or in an unlocked file cabinet in my office for any reason at all. IT'S JUST NOT WORTH IT. Marcia Yudkin
	Author, 6 Steps to Free Publicity: http://www.yudkin.com/6steps.htm Marketing Mentor: http://www.marketingformore.com New FTC Regulations: Attorney Decodes Their Implications for Marketers http://www.yudkin.com/ftc.htm

09-21-2009, 01:39 PM	#6
M.T. Coaching Newbies War Room Member Join Date: Aug 2009 Location: London Uk Posts: 36 Thanks: 5 Thanked 1 Time in 1 Post Social Networking	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? Hey, Thanks Guys for Your Help And Advice. Yes just as i thought it would be breaking visa,s terms and conditions. When dealing with some clients it is hard to explain these things without it looking like you are trying to charge more money because they need a addon service. MT

09-21-2009, 01:52 PM	#7
AmyBrown HyperActive Warrior War Room Member Join Date: Jun 2009 Location: The Left Coast, USA Posts: 254 Thanks: 126 Thanked 79 Times in 63 Posts	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? I would think it would be harder to explain why it was setup like that in the first place. In any case, I'd document that you brought the security issue to their attention. Personally, if they refuse to change the process I wouldn't have anything further to do with the account.
	F.O.C.U.S: Follow One Course Until Successful

09-22-2009, 06:28 PM	#8
M.T. Coaching Newbies War Room Member Join Date: Aug 2009 Location: London Uk Posts: 36 Thanks: 5 Thanked 1 Time in 1 Post Social Networking	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? Hi Amy, The website i host for my customer already had this shopping cart feature built into the software. The good new is he now has agreed to go with a secondary authorization payment process. The bad new is he cant use the same shopping cart.......... MT

09-22-2009, 06:30 PM	#9
HomeComputerGames HyperActive Warrior War Room Member Join Date: Jun 2009 Location: Chesterton, IN Posts: 286 Thanks: 6 Thanked 39 Times in 35 Posts	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? I believe there is a fine up to $20,000,000 in some circumstances. Read the fine print on the merchant agreement. Might want to have a read: https://www.pcisecuritystandards.org/ PCI FAQ PS: If you are hosting for this person you can be held liable for some types of thefts. In some U.S. States being PCI Compliant is law.
	Internet Business Development \| Computer Games \| Wii Games \| PC Games

09-22-2009, 06:38 PM	#10
Richard Tunnah Just hitting the mouse! War Room Member Join Date: Jul 2007 Location: Puerto Calero, Lanzarote, Canary Islands Posts: 1,434 Thanks: 168 Thanked 66 Times in 60 Posts Social Networking	Re: CAN I CAPTURE CUSTOMERS CREDIT CARD DETAILS AND SEND BY EMAIL ? If you're in the UK then they're probably going against data protection act which requires secure storage of customers private info including name, address, credit card details etc. You really don't want the UK government on your case. Lastly I see no reason why anyone needs to do this. Most merchant providers now provide secure online order systems or there's loads of online merchant providers. Rich
	Oh it's blankey blank!