Tell us what you have in place to keep our billing information safe.

[Quick1]

Seems there has been a recent rash of credit card theft. Maybe it's no more than normal for online buying in general or anywere else but some people feel it happened shortly after e-cig purchases from online suppliers.

There is a broad range of understanding on how these things work, how online stores work, and what if anything is and can be done to protect consumers billing information. Most of us are completely in the dark as to how online billing information can be compromised, what's available out there to prevent that, and what our suppliers are or are not using towards that end.

I thought this might be the right place to put up a thread so that suppliers, if they care too, can post up on what they do to keep our information safe.

Maybe one post or so per supplier? Maybe include an explanation of the mechanics involved, what's cost effective and what's not, and what you have or use to safeguard your customers.

 

[KatyS]

I'm glad you put this up here. I was distrubed at reading your thread about the credit card thefts occuring. I have had my site for 2 1/2 years. At first I used Paypal for payment but when they outlawed us, I opened a merchant account that uses the gateway Authorize.Net and I believe many of the suppliers here use this. My site has a link to a seperate address with my shopping cart thru Go Daddy. It is encrypted and I have had no problems. I have access to only the last 4 numbers of my customers cc numbers. I have had customers call me, not trusting the internet to place an order. In these cases I do take the credit card over the phone. I destroy those numbers after the order comes thru. Those customers will say "you have my credit card number on file", I explain we don't keep your number for security purposes. We are just a 2 man operation so it's easy to control. I do think it will help our community to let any vendor know if your card is compromised. We want our customers to be able to order without fear of cc theft. I personally opened a credit card with a 200.00 limit years ago for shopping on the internet, its all I use and no problems. I would never use a debit card or my checking account. Hopefully this explains some of the ins and outs of the supplier.

 

[Smocha]

We use a 128-bit encryption SSL certificate. It basically encrypts CC information when payments are submitted so hackers can't acess the information as it is going through the information freeway. Once the data gets to where it needs to be to finish the payment, it is decrypted into original form for use. We only have access as well to the last four digits of the credit card numbers used on our websites.

Good advice to people looking to make secure payments online, look for websites with an SSL certificate displayed on the front page. Also, after logging into the website, websites that are secure will have an "s" after http in the URL as well as a lock in the upper right hand corner or lower corner depending on what browser you use, you can click on this lock (some times also a key) to confirm that the website is encrypted. Also, what Katys said, it is benificial to have a CC that has a low limit.

Regards,
Tim

 

[Starchild47]

Thanks Quick 1 for starting this in reply to my post over in the fraud thread. I think that if the vendors here come forth it will make a lot of us feel much better about ordering from them in the future. I for one am very upset about this and reluctant to do any ordering at the moment until I or we learn more about what exactly is going on.
I think that if the vendors work with us the customers it will go a long way in helping all feel good about keeping the businesses going and our favorite supplies in our hands! I do have a question as I am not a real techie person but do a lot of research and am learning every day. Do we need to look for the SSL certificate in addition to finding out if the site is secure (ie s added to the http and the lock at the bottom right of the toolbar) I have known for some time to look for the lock and the s. I have seen the SSL cert on some sites but not all and often wondered what that offered to consumers and web stores? Does it offer added protection?

 

[MVP]

Company That Had The Largest Ever Credit Card Data Breach... Apparently Breached Again | Techdirt

 

[Firefly13]

We use a Volusion SSL certified cart, and our gateway only lets us see the last 4 digits of the customers card, it does not let us repeat the charge more than once either, so we can't accidentally double charge or something like that.

 

[Quick1]

Can someone give us a brief overview?
Let's say I want to open up a web store. So I go somewhere that hosts web stores and they give me a store site and I fill in my products, prices and choose options and stuff. Now I need to get paid when people fill in orders. How does that work? What are the common options or services used? and what are the main few choices I have for selectiing some level of security? Do I have a choice?

For example, I've heard Volusion mentioned a lot. Is that something like the above? Does Volusion handle all the billing for you? Something like they forward you an order made on your site, you send back notification that you've filled the order or something, they handle getting the payment transfered into your Volusion merchant account? Is that how it works?

I think a lot of customers here have visions of someone sitting at their PC in their business at home, looking at the order, running the credit card from home and having transfers made into their merchant visa or mc account...

Personally, I have visions of suppliers opening up a web store by signing up with "web stores R us". They pay a fee, get a website, get billing service, etc, with whatever they choose from the "web stores R us" merchant services menu. ?? we really don't have a clue.

 

[KatyS]

Quick there are different ways to go about it. Yes there are places where you get the whole package, web site, merchant account and anything else you need. I started on Yahoo with paypal, then linked a shopping cart(encrypted) to my yahoo site. shopping cart takes care of sending customer reciepts and supplier notice of a order pending. Suppliers have to capture the credit card orders daily, then in a day or so the money goes to the suppliers bank. I am not sure what Volusion does. But usually you need two seperate entities, the merchant account with gateway and the shopping cart system not necessarily related. That's why some shopping carts are not compatible with some Merchant Account Gateways.

 

[skydragon]

I sure would like to see more vendors in here. I also want to give credit to the three vendors who jumped right in with a response.

 

[iamjn]

For any merchant to accept a credit card, a merchant account is required. If you accept CCs through an online store, you are required to adhere to PCI compliance standards. If you do not meet PCI compliance, when caught, you are fined, and will have your merchant account closed by the company holding the account. Now, there are a ton of companies that resell merchant services, but at the end of the day, in the US at least, there are really only a handful of merchant processors. If you get blacklisted by them, you will have a hard time accepting CCs. Vendors are also liable for charges resulting from non compliance, so if someone steals your CC from a store and uses it to rack up a bunch of charges, if found to be non-PCI compliant, the vendor is who gets stuck with the bills. This is not just a e-cig thing, this is for any online business.

From a consumer, if you are purchasing anything from a store that doesn't use at least a 128bit certificate that you can validate, that is a mistake. IMHO, if you are buying from someone who does not have their location displayed in their site for everyone to see, you are taking a risk (why are they trying to hide their location?). Some vendors place a logo of their merchant account provider on their site. I don't subscribe to that mindset at all. My day job is with a large company working in IT with sensitive data. One thing that we, and most IT security people practice, is don't do any work for the hackers. That includes showing them what systems you use or have in place.

You can view PCI compliance standards here: Payment Card Industry Data Security Standard - Wikipedia, the free encyclopedia

Not sure if that is what you are looking for from this thread, but hope it helps.

 

[k9frog]

right now im dealing with my credit card, the number was stolen from some were on here that i do business with , i do not know were it was stolen from, except that the only place i use this card was for ecigs and supplies, so far there up to 700.00 plus that it was used for, they even tried to buy stocks with the card, that card has been shut off, but someone in our community is screwing us, i would love to find out who, nothin a bullet in the head wouldnt cure

 

[Xanax]

GREAT thread Quick1 and I'm gonna jump on board with you and request the same thing. We need to know what our suppliers are doing to keep us safe, this is a serious issue!

 

[Xanax]

right now im dealing with my credit card, the number was stolen from some were on here that i do business with , i do not know were it was stolen from, except that the only place i use this card was for ecigs and supplies, so far there up to 700.00 plus that it was used for, they even tried to buy stocks with the card, that card has been shut off, but someone in our community is screwing us, i would love to find out who, nothin a bullet in the head wouldnt cure

Highly doubt it's the vendor that personally stole your card and racked up those charges for himself/herself.

 

[ramsey2toes]

What happens when a merchants account/website is hacked into? Are customers information at risk?
I was hit a couple of months back....what a pain. My sisters card was also hit. We only had 2 merchants in common. One had their website hacked into, I wonder if this is what caused the problem for us?

 

[Starchild47]

Xanax
I agree, I highly doubt it is the vendors taking the info and trying to commit fraud themselves. I think that most of us agree it is a case of either inadequate security for credit card purchases or that the places they are using to handle credit card purchases have issues.
I sincerely appreciate the vendors that have come here and answered our questions and ponied up info as to what they do as well as given more info on how the system works.
I am REALLY SURPRISED that more vendors have NOT posted here as well as other board members. I know that this is a major concern for more people than those that have said something recently. I really thought that we would have an outpouring of vendors that would be willing to share their practices to make us feel secure in our purchases.
I know that I cannot be the only one that is leery of using some of the vendors here anymore. The problem is who to be leery of????? I don't have a freakin clue!!!!! The only thing I can do is to go get another credit card that is prepaid which is a hassle for me with my health issues and really not an option or get one with an extremely low limit SIGH.
I am postponing my purchases until I get some of this stuff resolved at least in my head. I have too many other things in my life that take precedence now that I cannot tackle a credit card problem on top of them sorry folks. I don't want to do this but I don't see any other option unless I get some reassurances here that I have not seen from any of the major vendors here on the site.

 

[iamjn]

What happens when a merchants account/website is hacked into? Are customers information at risk?
I was hit a couple of months back....what a pain. My sisters card was also hit. We only had 2 merchants in common. One had their website hacked into, I wonder if this is what caused the problem for us?

Vendor websites are required by their merchant account provider to not store any information regarding CC info. That is not negotiable, and if caught storing CC information will get a merchant account canceled. That doesn't mean that all vendors comply, unfortunately. IMO, the CC companies need to step up and provide consumers a way to verify a site is PCI compliant. At present, I don't know of any such site.

I'd suggest you contact your CC company with the names of the 2 common merchants and let them investigate. They all take it pretty seriously, and will follow up.

 

[Aqua Lady]

We have a Volusion 128-bit encryption SSL certificate (via Komodo I think).

Any reputable shopping cart application will not let you go live unless you have some sort of security in place.

Our backend does not hold on to CC info either...only the last 4 digits.

 

[rosesense]

Wouldn't it be a hacker dream to find what shopping cart/services the companies use posted right here in one place?

 

[Starchild47]

I highly doubt the info that is shared here would be beneficial to any of the hackers that are out there. I doubt even further that they would be trolling here to find that info out.

 

[Xanax]

Wouldn't it be a hacker dream to find what shopping cart/services the companies use posted right here in one place?

80% of the sites I have ever bought from all use the same identical shopping cart service. Maybe they all look alike, just from different distributers but I could swear they're all using the exact same thing.