The essential elements of an ecommerce store are the shopping cart, payment gateway, security certificate and merchant account. All processors (merchant account) that we work with now require a certified PCI Compliant shopping cart.

The store or shopping cart components include order and content adminstration, inventory managment, product management, customer management and search engine optimization among other elements.

The payment gateway is just that- a gateway that allows the secure transmission of credit card and debit card payments from the shopping cart to a merchant processor. The gateway is a standard security mechanism for the internet.

The security certificate is issued to a business. Digital security certificates provide two essential security functions: authentication and encryption.
The business is verified to be legimate. It also enables the SSL protocol,or secure socket layer for encrytion, which includes displaying HTTPS and the little lock symbol that appears in browsers.

The last element is the payment processor. Merchants accept credit and debit cards by opening a merchant account with a payment processor. Just like you can’t go to the federal reserve to do your personal banking, you can’t go to Visa and Mastercard to do your credit card processing. Payment processing is offered through banks, payment processing companies and independent service organizations (ISO. Sometimes the same company offers their services through all channels. For example, First Data offers direct payment processing direct, through banks they have partnerships with, and through registered ISO’s. Because of the complexities of the industry, the best prices and value are not necessarily achieved by going direct. In fact, indirect service thrives because of value added and volume partnership pricing.

In the past, processors required a secure gateway, however this has now been extended to the actual shopping cart software as well in some cases. One reason is that some carts allowed for storing card data unencrypted somewhere on a server. For some shopping carts, getting certified is a formality. For others, there are security issues somewhere within the process- whether front end or back end, and work is needed before the cart can be certified.

The quick solution for those carts that are not compliant has been to disallow credit card processing except for paypal and google payments.

Virtually every cart accepts authorize.net as a gateway and it’s one of the most popular. I recommend it, when appropriate. The Orbital Gateway may be a cheaper solution for those processing on the Paymentech platform, however not as many carts have Orbital integration.
Orbital Gateway Integration & Certification Program - Orbital is a Chase Paymentech gateway and only works with those processing on the Chase Paymentech platform. Merchants must complete either the shopping cart certification, or use a hosted payments solution such as CenPOS or CRE Secure.

If you don’t have a internet merchant account already, our suppliers have some very specific requirements that you need in addition to traditional merchant account requirements. I hear all the time from people how ‘the other vendors’ don’t require as much paperwork or they don’t ask the same types of questions. Well folks, the ‘other vendors’ may not be helping you build a successful PCI Compliant business with the right price plan either.  The items on the list below are so basic, they are essential elements to setting up your business for success.

These are Visa requirements for ecommerce merchant accounts. A document with these questions answered is turned in with the merchant application along with a print of the checkout page to prove the info is there.  If the information is not on the site, the application cannot be submitted until it is ready. If the site is under development, screen shots can be submitted that have the required information.
INTERNET REQUIREMENTS CHECKLIST

1.   Website active and URL on application   no     yes
2.   DBA on site MATCHES name on application no     yes
3.   Customer Service number or email listed no     yes
4.   Return/Refund policy present    no     yes
5.   Merchant’s Privacy Statement is included       no     yes
6.   Website Secure Order Page       no     yes
7.   Products/Services listed with price     no     yes
8.   Delivery Method and Timing are clearly stated   no     yes
FAQ

Can you give me the code for our web programmer for ecommerce checkout?

What you really want to know is the gateway information. That information is sent directly to the merchant. The merchant can share whatever data with you they like.

What if my web site is not live yet? We cannot submit your merchant application without the information above. Screenshots from your web developer, or artist renditions are needed that show this information.

Can you set up my gateway account? Yes. We are an authorized reseller for major gateways. We cannot obtain a gateway account for you before there is a merchant account because the merchant account ID and processing platform are needed as part of the set up.

Why do I need a separate merchant account for ecommerce orders? When you are issued a merchant account, it is based on specific information presented. When you use a retail account to process ecommerce orders, you are no longer complying with the original agreement. A card not present or mail order / phone order (MOTO) account is not the same as an ecommerce account. Again, it goes to how you agree to collect and process credit card orders. As shown above, there are additional criteria that must be presented to obtain an ecommerce merchant account.

Aside from compliance, you’ll always want the right type of account to qualify for the lowest interchange rates. There are specific criteria to be met for every type of account and card presented. If you have a retail swipe account, the expectation is that you swipe a card. When you don’t, you get downgraded to a higher rate. If you make an ecommerce transaction on an ecommerce merchant account, you can qualify for rates lower than what the swiped downgrade rate would be, but also higher than what a swiped transaction would be. Without getting into more depth, the main point is, you want to QUALIFY for the best rates for any given card presented and that can only happen when you have a merchant account that matches the types of transactions you are presenting to the card associations.

If you plug a PCI Compliant credit card processing terminal into a VoIP connection, then your processing is no longer compliant.

This explanation attempts to detail why. Traditional phone = analog. Traditional lines use hardware to send data ie the copper line. When using a 2008 compliant credit card terminal, the desktop terminal sends encrypted credit card data from the merchant to the processor and back using analog signals.

VoIP = digital. VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept them. So the desktop terminal may be compliant, but once the data is on the open network, the merchant set up is no longer PCI Compliant. Even though there are optional packages that can be attached to some VoIP networks, they do not meet current PCI compliance standards for the credit card processing industry.

If you attach a magnetic card swipe to your computer the transaction is processed using SSL security. It is not the same as VoIP. SSL uses a cryptogaphic system. It has two keys to encrypt data- a public key known to everyone, and a private key known only to the recipient. The magnetic card reader can be used with many POS systems and a high speed DSL, cable modem or T1 line.

Internet, ecommerce, and virtual terminal transactions all use SSL.

There are important considerations to check for both mag card readers and ecommerce transactions. Each requires a Gateway. The Gateway enables secure, real-time payment processing of credit card transactions. It is not the same as a credit card processor. Most people don’t realize that gateways and ecommerce stores must pass specific information through to the credit card processor to get better rates. Most systems focus on fraud protection, but do not necessarily pass through critical data required to meet specific interchange requirements. Sometimes the store doesn’t pass the data, and sometimes the gateway doesn’t pass the data- it all depends on company capabilities.

I’m not a tech expert but in general, the description above is sufficiently accurate to explain why. Bottom line: Visa & MasterCard officially state there is no acceptable VoIP solution that meets PCI Compliance requirements.