Receiving Credit Card Details from a web page by Fax ??

Status
Not open for further replies.
J

jerfoley

Guest
Firstly I hope i am in the correct thread,

I was wondering would this be possible, To create a submission form on a web page to gather a customers card details, and then when they press submit the information is faxed to a fax machine ?

To me the information travels not by email, and is not stored on a computer as an e mail, and is only available in a hard copy, so there is little security risk.

How secure would you feel this is ??

I have a physical terminal, so i thought if i could do something like this, i would not need a payment gateway, which is about 270 - 450 euros per year,

Other than that i would use pay pal, but as i provide accommodation in a guest house and Holiday Homes, i need a credit card number as a hold over clients in case they do not arrive / damage something etc.

If i use pay pal or a payment gateway, i never see the customers card details, so i have a problem, as i have no comeback over the guy who pays a booking deposit and does not turn up.

Just wondering did any one ever see this done before, and how logical / ethical is something like this ??

Thanks for the advice, and if you have to move this post to the correct location my apologies
 

mneylon

Administrator
Staff member
Firstly I hope i am in the correct thread,

I was wondering would this be possible, To create a submission form on a web page to gather a customers card details, and then when they press submit the information is faxed to a fax machine ?

Theoretically - yes

To me the information travels not by email, and is not stored on a computer as an e mail, and is only available in a hard copy, so there is little security risk.


How secure would you feel this is ??
It's not secure
How do you think the data gets from the web page to the fax?

I have a physical terminal, so i thought if i could do something like this, i would not need a payment gateway, which is about 270 - 450 euros per year,
Taking payment details online is different to taking payment in person
You'd be in breach of your merchant agreement

Other than that i would use pay pal, but as i provide accommodation in a guest house and Holiday Homes, i need a credit card number as a hold over clients in case they do not arrive / damage something etc.

If i use pay pal or a payment gateway, i never see the customers card details, so i have a problem, as i have no comeback over the guy who pays a booking deposit and does not turn up.

Um no.
Most of the big hotel booking sites "don't see the user" for obvious reasons and they don't have this issue
Just wondering did any one ever see this done before, and how logical / ethical is something like this ??
Around 1995 maybe ..

Logic - ok, except you haven't thought it through properly
Ethical - it's not
 
J

jerfoley

Guest
Cheers for the feed back

back to yours

It's not secure
How do you think the data gets from the web page to the fax? well you would need to have someone more or less sitting on your site to see the info ?

If you could protect this transmission, then at least the info is in a hard copy only on a fax somewhere, so no hacking possibilities. it cuts out one avenue, and also from a hackers point of view they are interested in hacking something that has 0000's of card details in one place, not a drip feed of details .

Taking payment details online is different to taking payment in person
You'd be in breach of your merchant agreement
If you have your T&C correctly worded you would be o.k on this

Um no.
Most of the big hotel booking sites "don't see the user" for obvious reasons and they don't have this issue,

IN the back end of the big sites you can see the clients card details, the only one you cannot see is expedia , and this is because the client has pre paid

Around 1995 maybe .

i was looking for a simple solution,

Logic - ok, except you haven't thought it through properly.

The theory is there just to bring it to reality

Ethical - it's not / offer the client 2 choices 1 submit the form, 2 print off the from and fax it

The customer will be the proof of the pudding, this idea will only work in some cases of sales, our sales depend on you turning up etc, so they are in the future,

Most other sales are for a product the cutomer expects to get delivered in XX days

maybe someone would have an idea,

this could only work if you had a physical terminal, so again it limits the amount of potential users

this is an idea for ma & pa enterprises, who want to trade, and have existing facilities

Cheers for the advice
 

mneylon

Administrator
Staff member
It's not secure
How do you think the data gets from the web page to the fax? well you would need to have someone more or less sitting on your site to see the info ?

If you could protect this transmission, then at least the info is in a hard copy only on a fax somewhere, so no hacking possibilities. it cuts out one avenue, and also from a hackers point of view they are interested in hacking something that has 0000's of card details in one place, not a drip feed of details .

You asked was it secure. It isn't
There is no way to get the data from the site to you without it going across the internet. I could go on about ways that you could encrypt it etc., but you seem to think it's acceptable (it isn't)

Taking payment details online is different to taking payment in person
You'd be in breach of your merchant agreement
If you have your T&C correctly worded you would be o.k on this
No you wouldn't be
Ask your bank. Ask Visa


Your idea is highly dangerous and if you go ahead with it will lead to even more credit card fraud than there is already

Don't do it
 
J

jerfoley

Guest
You seem to be a NO man, it was just an idea, if every one who had an idea talked to a guy like you then there would be no new ideas. Potentially it is a simple solution if one was to overcome the transfer of the details over the internet. I look for solutions, whereas you seem to look for problems. Cheers. And 99% of online Card fraud come from with fishing sites or hacking databases that hold 000's of card numbers, do you think alot of these guys will bother with things that fall out side these 2 main areas
 

jmcc

Active Member
How do you think the data gets from the web page to the fax? well you would need to have someone more or less sitting on your site to see the info ?
It depends how the system is set up. It is really introducing another point of attack. Then there is the problem with technology - how many people still use faxes?

If you could protect this transmission, then at least the info is in a hard copy only on a fax somewhere, so no hacking possibilities.
The information has to get to the fax so it may be converted from text format to an image (TIFF from what I remember) format. This introduces two more points of attack.

Ethical - it's not / offer the client 2 choices 1 submit the form, 2 print off the from and fax it
And what for the customers who may just mail it?

this is an idea for ma & pa enterprises, who want to trade, and have existing facilities
This may be getting into the area of "factoring" and you may have to read the terms and conditions of the merchant agreement to see that the contract allows you to do such a thing.

Regards...jmcc
 

tomed

New Member
You seem to be a NO man, it was just an idea, if every one who had an idea talked to a guy like you then there would be no new ideas. Potentially it is a simple solution if one was to overcome the transfer of the details over the internet. I look for solutions, whereas you seem to look for problems. Cheers. And 99% of online Card fraud come from with fishing sites or hacking databases that hold 000's of card numbers, do you think alot of these guys will bother with things that fall out side these 2 main areas

No-one here is being a "no man". It's called experience.

What you are trying to do is nothing new, we've been down that road before which has led to things being done the way they are today.
 

Byron

New Member
Hello jerfoley,

The simplest solution is to use a payments processor such as realex RealPay. It is secure, it is confidential, it is insured and it is practical. It does cost money, but accepts Laser unlike most payment systems. You can go about it your own way, but if it goes wrong you will end up liable, personally for any data protection or fraud issues, not you, not your host and certainly not your website developer.

In conclusion, yes your method works, but pair up with a few other people to break down the cost, use your script in lines with Realex policy, etc on several pages for different properties, etc, it will save you money and will be more secure.

I don't think you have considered the costs of an SSL cert per year or getting a solicitor involved to verify the legality of a new system. I don't see it as resell-able as an idea also.

Best of luck,
Byron
 

niall

New Member
And 99% of online Card fraud come from with fishing sites or hacking databases that hold 000's of card numbers, do you think alot of these guys will bother with things that fall out side these 2 main areas

Some of the things you'll have to deal with:
1. Transcription errors: You want to loose sales because whoever is transcribing the numbers into the local machine screws up?
2. Management of the faxes: What are you going to do with the received faxes? Can you be 100% sure that all of them will be shredded? Are you going to have measures in place to log every fax received and log who was responsible for the disposal?
3. Web-Fax Gateway: What retention policy will the Web-Fax gateway you're planning on using have? Are they PCI compliant? Do they store the faxes in encrypted form?

I'm sure if I think a bit more I can come up even more issues which will have to be dealt with. Unless you can document 100% every step of the way, whoever provides your merchant account is not going to be impressed.

Unless there's a very very compelling reason you're better off using a payment gateway like Realex or it's ilk.

Niall.
 
J

jerfoley

Guest
Hello jerfoley,

The simplest solution is to use a payments processor such as realex RealPay. It is secure, it is confidential, it is insured and it is practical. It does cost money, but accepts Laser unlike most payment systems. You can go about it your own way, but if it goes wrong you will end up liable, personally for any data protection or fraud issues, not you, not your host and certainly not your website developer.

In conclusion, yes your method works, but pair up with a few other people to break down the cost, use your script in lines with Realex policy, etc on several pages for different properties, etc, it will save you money and will be more secure.

I don't think you have considered the costs of an SSL cert per year or getting a solicitor involved to verify the legality of a new system. I don't see it as resell-able as an idea also.


Best of luck,
Byron

Cheers for the feed back, i actually use realex for one buiness and i find it fine , but every different business had different models, i was just thinking of realex getting 29 euros per month, and look at that cost over 3 / 4 years 1000 - 1400 euros, but again you also need 2 things to do what i am talking about is a Fax and a physical terminal
 
J

jerfoley

Guest
Some of the things you'll have to deal with:
1. Transcription errors: You want to loose sales because whoever is transcribing the numbers into the local machine screws up?

IT WOULD BE A PRESET NUMBER

2. Management of the faxes: What are you going to do with the received faxes?
STORE THEM IN HARD COPY UNTIL AFTER THE CUSTOMER HAS DEPARTED

Can you be 100% sure that all of them will be shredded? WE HOLD THEM PHYICALLY AND DESTROY THEM AFTER THE GUEST HAS LEFT

Are you going to have measures in place to log every fax received and log who was responsible for the disposal?

THIS IS A SMALL SIMPLE SOLUTION, WHICH WOULD NOT WORK FOR A LARGE ONLINE SELLER, SO SMALLER USERS WOULD USE IT,

3. Web-Fax Gateway: What retention policy will the Web-Fax gateway you're planning on using have?
NONE. THE INFO IS SENT STRAIGHT TO THE FAX AND IS ONLY AVAILABLE IN A HARD COPY

Are they PCI compliant?

Do they store the faxes in encrypted form? NO IN HARD COPY

I'm sure if I think a bit more I can come up even more issues which will have to be dealt with. Unless you can document 100% every step of the way, whoever provides your merchant account is not going to be impressed.

Unless there's a very very compelling reason you're better off using a payment gateway like Realex or it's ilk.

HAD A LOOK AT E-PATH.COM.AU SYSTEM IS SOMETHING SIMILAR TO MY NEED ONLY THE INFO IS NOT FAXED

Niall.

Some of the things you'll have to deal with:
1. Transcription errors: You want to loose sales because whoever is transcribing the numbers into the local machine screws up?

IT WOULD BE A PRESET NUMBER

2. Management of the faxes: What are you going to do with the received faxes?
STORE THEM IN HARD COPY UNTIL AFTER THE CUSTOMER HAS DEPARTED

Can you be 100% sure that all of them will be shredded? WE HOLD THEM PHYICALLY AND DESTROY THEM AFTER THE GUEST HAS LEFT

Are you going to have measures in place to log every fax received and log who was responsible for the disposal?

THIS IS A SMALL SIMPLE SOLUTION, WHICH WOULD NOT WORK FOR A LARGE ONLINE SELLER, SO SMALLER USERS WOULD USE IT,

3. Web-Fax Gateway: What retention policy will the Web-Fax gateway you're planning on using have?
NONE. THE INFO IS SENT STRAIGHT TO THE FAX AND IS ONLY AVAILABLE IN A HARD COPY

Are they PCI compliant?

Do they store the faxes in encrypted form? NO IN HARD COPY

I'm sure if I think a bit more I can come up even more issues which will have to be dealt with. Unless you can document 100% every step of the way, whoever provides your merchant account is not going to be impressed.

Unless there's a very very compelling reason you're better off using a payment gateway like Realex or it's ilk.

HAD A LOOK AT E-PATH.COM.AU SYSTEM IS SOMETHING SIMILAR TO MY NEED ONLY THE INFO IS NOT FAXED
 

niall

New Member
There's no point in SHOUTING, I'm trying to give you some advice on some of the things you'll come up against. I have had to do plenty of PCI Compliance work and know the kind of things you're likely to come up against.

Some of the things you'll have to deal with:
1. Transcription errors: You want to loose sales because whoever is transcribing the numbers into the local machine screws up?

IT WOULD BE A PRESET NUMBER

Em, not talking about that. I'm talking about whoever is reading the number off the fax and putting it into the local merchant terminal.

2. Management of the faxes: What are you going to do with the received faxes?
STORE THEM IN HARD COPY UNTIL AFTER THE CUSTOMER HAS DEPARTED

Can you be 100% sure that all of them will be shredded? WE HOLD THEM PHYICALLY AND DESTROY THEM AFTER THE GUEST HAS LEFT

Right, and what details are going to be stored? Are they going to be in a locked cabinet? Who's going to have access to them?

Are you going to have measures in place to log every fax received and log who was responsible for the disposal?

THIS IS A SMALL SIMPLE SOLUTION, WHICH WOULD NOT WORK FOR A LARGE ONLINE SELLER, SO SMALLER USERS WOULD USE IT,

Just because they're small, doesn't mean they'll be exempt from having to handle the credit card data properly.

3. Web-Fax Gateway: What retention policy will the Web-Fax gateway you're planning on using have?
NONE. THE INFO IS SENT STRAIGHT TO THE FAX AND IS ONLY AVAILABLE IN A HARD COPY

So, you're talking about installing a fax modem onto the server where the website is to be hosted? In most DC's I've dealt with, that means line rental and cross-connect costs. Suddenly online payment processors are looking like a better option.

Are they PCI compliant?

If you're using a Email/HTTP to fax provider, you'll have to be sure that they are PCI complient and make 100% sure of exactly what they store and how.

Do they store the faxes in encrypted form? NO IN HARD COPY

See previous point about the Hard Copy aspect.

Unless there's a very very compelling reason you're better off using a payment gateway like Realex or it's ilk.

HAD A LOOK AT E-PATH.COM.AU SYSTEM IS SOMETHING SIMILAR TO MY NEED ONLY THE INFO IS NOT FAXED

I haven't come across E-Path before, but I'm betting they're not faxing it for a reason.
 

dfeehely

New Member
On the subject of payment processing, has anybody dealt with Lucey yet?
Are they any good?
www dot lucey dot ie
 

mneylon

Administrator
Staff member
On the subject of payment processing, has anybody dealt with Lucey yet?
Are they any good?
www dot lucey dot ie
I had a look at their pricing a while back when someone mentioned them on Twitter ..
They seem very expensive compared to the likes of Realex

They also seem to have some really odd software requirements: Minimum Requirements
 
Status
Not open for further replies.
Top