When a customer enters their credit card on a webstore to make a purchase, they often look for a site prefix of “https” (as opposed to just “http”) and/or a padlock symbol to verify that the site is a secure site. This is a first level of protection known as SSL or Secure Socket Layer that encrypts any data being transferred. But what happens after the intended company receives the credit card information?
Depending upon the store, any number of things can happen with your credit card. It is not unlike giving your credit card to a waiter at a restaurant. After the waiter takes your card, they take it to their cash register and in most cases swipe the card through their machine, which then charges your card. Once they give your card back to you, they no longer have your credit card number. On the other hand, if they use the old-fashioned imprint machine, the store retains a copy of your credit card number until they can manually key it in. The same goes for placing an order over the phone. And in many cases, this is what happens with internet sales as well.
Once your credit card information is received by the webstore, the shopping cart software can be configured for how the money is eventually received by the company. One of the most popular ways for small business is to process the transactions manually, using the credit card machines they already have in their physical shop. This means that they can see the customer’s credit card number.
Another way is to use a payment gateway such as Authorize.net. In this case, the credit card is transmitted to the bank in much the same way as a swipe machine, and the store does not keep a copy of the number. These payment gateways transfer the credit card information to the processor and back, which then send an authorization code to the shopping cart software. The payments then get reconciled in a batch, usually at the end of the day. The downside to this method is that another entity is involved in the transaction.
In the ecommerce business you will hear the tern PCI compliance. The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. Since the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards.
However, according to the PCI DSS documentation, “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.”
This has led to a series of credit card processing capabilities that are both the gateway and the processor in one. Rather than collect credit card information on their site, the store simply collects the customer information, then passes the PCI compliance buck to someone else by handing off the payment collection process to another entity. This is known as a “hosted solution”. Once the payment has been collected, the processing company returns the customer back to the webstore. This is similar to how Paypal is used – the store owner never sees the customer credit card information. Other companies that do this include Elavon and Element Express. For most website owners, this is the recommended approach.