Archive for the 'Payment Gateways' Category

A common questions amongst new online merchants is where do you get your payment gateway from? Do you go straight to Authorize.net? Or do you get it from your merchant account provider?

You typically will get both in one place but this is not necessarily how it has to be done. Authorize.net can only be established through resellers and most resellers are also merchant account providers. So, you will find that whatever merchant account provider you chose will most likely also be able to establish your Authorize.net gateway for you. This way is the most common and the easies way to do it.

However, it is possible that you can get your payment gateway from one provider and merchant account from another. But you will find besides the fact that this is more work for you, you will also run into resistance from Authorize.net resellers and merchant account providers who want to sell you both services and not have another provider taking “a piece of the pie”. It is best to get both services from the same provider as the pricing for an Authorize.net gateway is virtually the same from most of their resellers.

Visa and MasterCard forbid Internet merchants from using software or equipment that does not support the Electronic Commerce Indicator. Electronic Commerce is when the cardholder’s information leaves possession of the cardholder and travels through an open connection, such as the Internet, to reach the merchant. In order to designate this type of transaction, the Electronic Commerce Indicator (ECI) must be included on the payment transaction message format to show that the transaction originated form an Internet source. This indicator is assigned in the point of sale product utilized by the merchant. Credit card information sent via email does constitute a transaction needing the ECI in the transaction to the processing bank.

Visa U.S.A. introduced a penalty structure effective June 1, 2000, for acquirers who fail to identify an electronic commerce transaction with the correct electronic commerce indicators. MasterCard International introduced a penalty structure effective August 1, 2000, for acquirers who fail to identify an electronic commerce transaction with the correct electronic commerce indicators.

If a merchant’s software sends an ECI (values of 5, 6, or 7) the transactions are noted as a secure ECI transaction and must be using a secure form of processing card data. These transactions are eligible for CPS rate programs. If the software sends up an ECI value of 8 or 9, the merchant is processing the card data in a non-secure format and the transaction cannot qualify better than EIRF (i.e. the highest rate you can pay for a transaction).

All terminal products that are certified to pass an ECI send a value of 8 because this is a non secure way of processing electronic commerce transactions. But there aren’t any credit card terminals currently supported to handle ECI. This means you must use special software or a gateway only. Visa and MasterCard employ 250 employees whose sole purpose is to find web merchants who violate this policy. Violating could result in fines, your account being terminated, and/or you being blacklisted for accepting credit cards.

Authorize.net, the most popular payment gateway provider, announced that it saw a spike in fraudulent transactions pass through its systems this past weekend. The transactions, which ranged from $500 - $700, were billed to all major credit cards for users across the country.

All of the fraudulent transactions were processed through web hosting companies that use the Authorize.net payment gateway services. The hackers who did this apparently stole quality credit card data and used security holes in the web hosts’ systems to run the sales. The money for these transaction were sent to the webhosts. The hackers used the sales to verify whether the credit cards were valid. With the transactions being successful they are expected to use them in other fraudulent transactions very soon.

The web hosts and Authorize.net are at odds over where the security breach occurred. The web hosts are blaming Authorize.net. Authorize.net claims it cannot be there services fault as they just act like a credit card terminal and the blame as to be on the hosts for using flawed software.

On Sunday about 1,500 transaction were run through in a 90 minute period early Sunday morning totaling just under $1 million to one account! A total of three webhosts were used in this attack. In all cases the information put through the system included a valid credit card number, expiration date, cardholder name, and cardholder address. The successful transactions proves all of the information is accurate and correct.