Need Help With How to Submit Sensitive Credit Card Information Required by Suppliers

by Rayzen
11 replies
  • ECOMMERCE
  • |
I am trying to set up an ecommerce store and am now at the point where I am seeking suppliers. Some of the potential suppliers I have found are asking for full credit card data (credit card number, card holder name (me), expiry date, and validation number. Obviously, in this world of hackers, putting that kind of information out there in the 'cyberspace' is a little scary and not something I would ever dream of doing with my personal credit card information.

However, I do need suppliers for the products I want to sell, so it seems to be a dilemma. I have posted this question before, and the answer I've gotten seems to be that ecommerce store owners solve the problem by only submitting their business credit card information to those suppliers who are PCI compliant, which means they have jumped through all of the hoops that the credit card industry deems necessary to store credit card information on their sites. I guess that, after doing so, they are then certified to store such data, so all I have to do to insure my credit card's safety is to ask for proof of such certification...which brings me to my question: If you were in my shoes, how do I do this? How do I gain such validation that any potential supplier who is asking for my sensitive credit card data is actually certified? Is there a form for accomplishing this? Or do I just ask them for some kind of an account number that is stored by whoever grants such certification? If it's the later, who is that group? Is it a government agency or a non-governmental, industry-related group? And, finally, if I were to ask them for such certification, how would you word it, in order to be businesslike, yet not offensive?

Thank you for your time and trouble in helping me with this matter.

--Ray Cole
#card #credit #information #required #sensitive #submit #suppliers
  • Profile picture of the author tritrain
    My experience has been that suppliers are often behind the times in a sense, with some still using paper forms. If the form is electronic and not protected by SSL then do not enter that data. You could call them afterword and have them write it in. Or, when paper is used, you don't have to worry about it, during the sending because you're faxing it.

    However, none of this is of value if their network has holes elsewhere. It's not realistically possible to determine this by you.

    There is only so much that you can do.

    *You can call them and ask questions about the security of your data on their site. Decide based on that.
    Signature
    Domains for sale - see seopositions.net
    {{ DiscussionBoard.errors[11252094].message }}
    • Profile picture of the author Rayzen
      Hi Tritrain.

      Thanks for your help.

      Yeah, I think you're probably right, when you said, "There's only so much you can do," which is really frustrating, because I'm beginning to think that there really is no safe answer to my question.

      I'm new to the whole ecommerce world, so I have lots of questions and doubts, but am learning on a daily basis. So far, this question of credit card safety, as related to suppliers, is one that just doesn't seem to have already been ironed out by those who have already been in the business; dunno.

      It's my guess that about all you can do is to get a business credit card to be used for paying suppliers, go ahead and, as you said--after asking the supplier about their PCI policies---if satisfied, let them keep that information on their site, then just check the card's activity daily, to see if any illicit transactions have occurred. However, I can see where that would become a formidable task, if my ecommerce store were to handle even a moderate amount of transactions. But then I guess that would just be part and parcel of running a business.
      {{ DiscussionBoard.errors[11253173].message }}
  • Profile picture of the author dave_hermansen
    We have never been asked to fill out a form with our credit card details on it. We call the supplier and give it to them over the phone, usually with the first order.
    Signature
    StoreCoach.com- Learn How to Dropship the Right Way - Buy & Sell Websites - Partner with Coach
    My PROVEN ecommerce process, as seen on: Fox News, the NY Times & Flippa
    {{ DiscussionBoard.errors[11253102].message }}
  • Profile picture of the author Rayzen
    Hi Dave.

    Thanks for the response.

    So am I correct in interpreting what you said to mean that you do give them your credit card information, albeit over the phone instead of on a form?

    If so, then I don't see how that has kept the supplier from simply copying that information down and then storing it on their site, which would be no different than sending them the same information on a form. The only difference would be that the transmission of that information would have been more secure, since it is easier to intercept a letter than a phone call. In either case, your information would then be 'out there,' unprotected at the supplier's site.

    Almost all of us routinely use our credit cards with online stores, such as Amazon; however, I think the basic assumption is that such stores have satisfied the credit card industry's PCI standards by being audited yearly by an outside agency, as well as meeting their 12-step criteria for security assurance, so our information is relatively secure, although not absolutely so.

    I have a feeling that a lot of suppliers might not even know what 'PCI' means, let alone taking the time, trouble, and expense of meeting those standards...or they know, but simply chose to ignore it, since it's not a law to meet the standards. From what I've been able to read on the net, it costs a minimum of around $1,000 per year to jump through all of the PCI hoops, and even their self-evaluation forms are about 80 pages long and take hours to complete; can't say as I'd be too happy about doing any of that, myself. Amazon has paid lawyers who would be doing that for them and obviously can afford it. By the way, from what I've read, the PCI process for such a large ecommerce store as Amazon runs more like $50,000/year to satisfy the PCI standards. I would be happy if my little online will even make that much, once I gets it online.
    {{ DiscussionBoard.errors[11253155].message }}
    • Profile picture of the author dave_hermansen
      Originally Posted by Rayzen View Post

      Hi Dave.

      Thanks for the response.

      So am I correct in interpreting what you said to mean that you do give them your credit card information, albeit over the phone instead of on a form?

      If so, then I don't see how that has kept the supplier from simply copying that information down and then storing it on their site, which would be no different than sending them the same information on a form. The only difference would be that the transmission of that information would have been more secure, since it is easier to intercept a letter than a phone call. In either case, your information would then be 'out there,' unprotected at the supplier's site.
      I'm not sure why you are assuming that suppliers are storing your card details on a website. There are many other ways of storing credit card numbers.

      If the supplier has an online ordering portal, I can't imagine that it would not be secure - at least I've never seen such an occurrence. Although it may not be a "law", they wouldn't be able to get payment processing without it and I guarantee you that they are having to go through the same PCI compliance procedures for their payment processors as you are. If they are using a third party site like PayPal to process payments, PayPal has that covered on their secure and PCI compliant site.

      I'm not sure where you are getting the notion that it costs $1,000 to jump through compliance hoops. We don't spend a dime on it. The shopping cart we use and the payment gateways are PCI compliant and THEY are the ones who have to jump through hoops to keep it that way. We have to take the time once a year to fill out a self-compliance questionnaire but that is the extent of the "hoops" that we jump through. We've done it so many times, it might take 30 minutes to do.

      With the vast majority of our suppliers, we send orders by email and at the end of the email tell them to use the credit card on file, ending with 8574 (or whatever the final four digits are). We've operated well over 100 eCommerce websites and had at least 500 suppliers during the past decade and never once have had our credit card data breached by one of our suppliers.

      Could a person who works for the company copy the information and sell it? Sure, but that can happen every time you go to a restaurant. You can find all kinds of reasons for not doing something. If we let every possible bad scenario dictate our lives, we'd never leave our houses.

      Give yourself some peace of mind by making it a habit to check your credit card statement every morning, first thing, to make sure everything is legit. You'll be just fine. The worst thing that could happen is that you find something amiss, dispute a charge and get a new credit card number.
      Signature
      StoreCoach.com- Learn How to Dropship the Right Way - Buy & Sell Websites - Partner with Coach
      My PROVEN ecommerce process, as seen on: Fox News, the NY Times & Flippa
      {{ DiscussionBoard.errors[11253824].message }}
      • Profile picture of the author Rayzen
        Hi Dave.

        Once again, thanks for your time & trouble in responding to my insecurities.

        As far as where I got the notion that meeting PCI compliance costs $1,000, it was from an online article, but then I guess you well know how trustworthy the internet can be, sometimes.

        I definitely agree with your comment about not letting every reason in the world for not doing something keep me from pressing forward. Part of the entrepreneurial spirit would include taking a certain amount of calculated risks, I guess; kinda like that saying, "Behold the turtle: He makes progress only when he sticks his head out."

        And, from what you said regarding your own track record with suppliers, it would seems to be less risky than what I allowed my imagination to conjure. I realize that doesn't mean it can't happen, but it's comforting for someone like myself, who is just starting, to hear such a personal experience from those who have been in the business for a while.

        Checking any credit card daily, whether it's a business-related one or a personal one, is certainly sound advice, especially in our modern, global society.

        Last night, when filling out yet another supplier's application form for establishing a new account, I was surprised to see an IRS W-9 form which asks for my social security number. What's your take on that? Being new to all of this, I'm obviously not a real savvy guy, when it comes to such things, but from what I've been able to learn, giving out one's social security number is just not something one should ever do. As you stated, if your credit card is compromised, it's not a difficult thing to do just to cancel it and get a new card; however, if an identity thief gets your social security number, they can then go way beyond making charges with a stolen credit card; e.g., establishing new credit lines, paying for huge health bills, etc. Any thoughts on that?

        I sure appreciate your time and effort in helping me.
        {{ DiscussionBoard.errors[11254052].message }}
        • Profile picture of the author dave_hermansen
          Originally Posted by Rayzen View Post

          Hi Dave.

          Once again, thanks for your time & trouble in responding to my insecurities.

          As far as where I got the notion that meeting PCI compliance costs $1,000, it was from an online article, but then I guess you well know how trustworthy the internet can be, sometimes.

          I definitely agree with your comment about not letting every reason in the world for not doing something keep me from pressing forward. Part of the entrepreneurial spirit would include taking a certain amount of calculated risks, I guess; kinda like that saying, "Behold the turtle: He makes progress only when he sticks his head out."

          And, from what you said regarding your own track record with suppliers, it would seems to be less risky than what I allowed my imagination to conjure. I realize that doesn't mean it can't happen, but it's comforting for someone like myself, who is just starting, to hear such a personal experience from those who have been in the business for a while.

          Checking any credit card daily, whether it's a business-related one or a personal one, is certainly sound advice, especially in our modern, global society.

          Last night, when filling out yet another supplier's application form for establishing a new account, I was surprised to see an IRS W-9 form which asks for my social security number. What's your take on that? Being new to all of this, I'm obviously not a real savvy guy, when it comes to such things, but from what I've been able to learn, giving out one's social security number is just not something one should ever do. As you stated, if your credit card is compromised, it's not a difficult thing to do just to cancel it and get a new card; however, if an identity thief gets your social security number, they can then go way beyond making charges with a stolen credit card; e.g., establishing new credit lines, paying for huge health bills, etc. Any thoughts on that?

          I sure appreciate your time and effort in helping me.
          Yeah, social security numbers is another thing but honestly, you're not going to get an account without it. Every entity out there asks for your SS# these days - banks, colleges, internet service providers, payment processing companies and suppliers. It's the only real means of tying an identity to an exact person. As bad as that is, I'm not sure if there will ever be another way of doing that.

          I suppose if it bothers you, you can fill that blank in with "will call with number" and then call them and give it to them. We've never done that and, so far, nothing bad has happened. If nothing else, it gives you a good excuse to follow up on your application and, perhaps, get the approval ball rolling even faster.

          I should add, most applications we fill out do not ask for a SSN; they ask for an EIN, which is one reason that setting up an official company instead of just a sole proprietorship with your SSN isn't a bad idea.
          Signature
          StoreCoach.com- Learn How to Dropship the Right Way - Buy & Sell Websites - Partner with Coach
          My PROVEN ecommerce process, as seen on: Fox News, the NY Times & Flippa
          {{ DiscussionBoard.errors[11254706].message }}
          • Profile picture of the author Rayzen
            Your last reply sent me on an internet search for the difference between a SSN and an EIN, as well as their relative security. It seems, according to Nolo.com, that an EIN is safer than a SSN. Here is what their website has to say about it: (https://www.nolo.com/legal-encyclope...-need-ein.html)

            "Why To Get an EIN If It's Not Required

            You can obtain an EIN even if it is not required, or use your Social Security number. There are two good reasons to use an EIN instead of your Social Security number:
            Avoid identity theft

            Theft of taxpayer's identities has become a rampant problem--identity thieves steal taxpayer's Social Security numbers and use them to file fraudulent tax returns and obtain tax refunds. For this reason, it's wise to keep your personal Social Security number as private as possible.
            If you perform personal services as an independent contractor, you must provide an EIN or Social Security number to your clients, or the client will be required to withhold 28% of your payments. Obtaining an EIN allows you to avoid having to provide your Social Security number to clients and other members of the public.
            Help Establish Independent Contractor Status

            Using an EIN on your tax returns and payments also helps to show that you're an independent businessperson--in other words, an independent contractor and not an employee. This can make you more attractive to prospective clients.
            "

            So, after reading all of that, as well as what you said about how common it is for suppliers to ask for a SSN, I guess that I will just plug in my EIN (I just got one from the IRS website; took all of five minutes) in place of a SSN, hoping that will satisfy a supplier. Do you think that'd work?
            {{ DiscussionBoard.errors[11254955].message }}
            • Profile picture of the author dave_hermansen
              Originally Posted by Rayzen View Post

              Your last reply sent me on an internet search for the difference between a SSN and an EIN, as well as their relative security. It seems, according to Nolo.com, that an EIN is safer than a SSN. Here is what their website has to say about it: (https://www.nolo.com/legal-encyclope...-need-ein.html)

              "Why To Get an EIN If It's Not Required

              You can obtain an EIN even if it is not required, or use your Social Security number. There are two good reasons to use an EIN instead of your Social Security number:
              Avoid identity theft

              Theft of taxpayer's identities has become a rampant problem--identity thieves steal taxpayer's Social Security numbers and use them to file fraudulent tax returns and obtain tax refunds. For this reason, it's wise to keep your personal Social Security number as private as possible.
              If you perform personal services as an independent contractor, you must provide an EIN or Social Security number to your clients, or the client will be required to withhold 28% of your payments. Obtaining an EIN allows you to avoid having to provide your Social Security number to clients and other members of the public.
              Help Establish Independent Contractor Status

              Using an EIN on your tax returns and payments also helps to show that you're an independent businessperson--in other words, an independent contractor and not an employee. This can make you more attractive to prospective clients.
              "

              So, after reading all of that, as well as what you said about how common it is for suppliers to ask for a SSN, I guess that I will just plug in my EIN (I just got one from the IRS website; took all of five minutes) in place of a SSN, hoping that will satisfy a supplier. Do you think that'd work?
              It's pretty rare that a supplier would ask for a SSN. If Walmart wanted to buy from them, whose SSN would they give to them? They normally want an EIN because that is what businesses have - businesses don't have SSNs. So yes, just give them the EIN.
              Signature
              StoreCoach.com- Learn How to Dropship the Right Way - Buy & Sell Websites - Partner with Coach
              My PROVEN ecommerce process, as seen on: Fox News, the NY Times & Flippa
              {{ DiscussionBoard.errors[11256755].message }}
  • Profile picture of the author pauloadaoag
    Administrator
    Checkout stripe. Should handle all the security needs + has some fraud protection + its really easy to integrate.
    Signature
    {{ DiscussionBoard.errors[11253431].message }}
  • Profile picture of the author freelandegroup2
    If you call use a service I know about similiar to stripe but better, by the time you email or call i will remember, i have a amazon biz and am doing great, looking to sell the store i have now for under1k, building another one, and i do give free tips, 8pm anyday, usually my pn is on, three1sevn-six28-977zero.
    {{ DiscussionBoard.errors[11253899].message }}

Trending Topics