WEB Anyone ever apply for a merchant account?

Discussion in 'OT Technology' started by o2, Mar 6, 2010.

  1. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    To take CC cards directly thru your site, not going thru a gateway page.

    What kind of shit did they ask from you?

    Whats the deal with that PCI compliance shit... do you just do a self-evaluation and submit them something? I was asked if I was PCi complient.. I looked thru their 12 requirements, and all are met. Do I just say YES, or do I need some sort of "proof"?
     
  2. redna

    redna New Member

    Joined:
    Oct 24, 2001
    Messages:
    2,614
    Likes Received:
    0
    in for answers..
     
  3. Pepsi1975

    Pepsi1975 Mod of the Year

    Joined:
    Jan 6, 2005
    Messages:
    47,590
    Likes Received:
    0
    Location:
    Detroit
    i was not in direct talks with the bank, my client was, but when I was setting up his site, we had a checklist like you mentioned and then when we told them it was all met they visited the site to verify that we were not lying
     
  4. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    Well, they cant really check most of those things unless they see the source code. How do they know billing info is encrypted? How do they know who has access to it? For all they know, I can have a php script available to everyone that prints out credit card #s.

    And Im not doing this thru a bank, Im doing this thru an online company, like instabill.
     
  5. dazmanultra

    dazmanultra New Member

    Joined:
    Jun 17, 2002
    Messages:
    34,795
    Likes Received:
    0
    Location:
    English Countryside
    We have a merchant account with Barclays Merchant Services. To be PCI DSS compliant, we'll need to complete PCI DSS SAQ D which is a long document. And outlines guidelines/rules for ways of working with card details within your organisation, as well as setting out stringent technical requirements - e.g. you'll need a physical dedicated server for each role (1 web, 1 database) and also a hardware firewall. Virtualization is not acceptable apparently.

    It sounds like you only completed SAQ A? Which means you don't actually handle any card details but send people off to a third party hosted payment page...
     
  6. dazmanultra

    dazmanultra New Member

    Joined:
    Jun 17, 2002
    Messages:
    34,795
    Likes Received:
    0
    Location:
    English Countryside
    It's a very good point it's a Self Assessment Questionnaire, after all. If a vulnerability in your system did ever lead to car data being leaked, and it was tracked back to your organisation and you lied on the PCI DSS form, you could be in for a big fat ass fucking and be liable for the lost monies.
     
  7. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    I didnt realize this is going to be SAQ D. I was under impression its SAQ A the whole time for some reason.

    Where does it say the DB has to be on a separate server? Its a silly requirement..... which doesnt make anything safer. If the www server is compromised, they will have the login to the DB server, as well as any encryption keys that are used to encrypt cardholder data.

    Just introduces another point of weakness, imo.

    Also, whats the difference between the merchant version, service provider's version (both like 4 pages) and the big ass 37 page version. All are SAQ D it seems...
     
    Last edited: Mar 6, 2010
  8. dazmanultra

    dazmanultra New Member

    Joined:
    Jun 17, 2002
    Messages:
    34,795
    Likes Received:
    0
    Location:
    English Countryside
    Should be here i think
    https://www.pcisecuritystandards.org/docs/pci_saq_d.doc

    The dedicated server part comes under 2.2.1 "Is only one primary function implemented per server?"

    You're right though, it's pretty much bullshit and doesn't really help anyone be any more secure. All it does is shift the blame and liability for leaked cardholder data.
     
  9. opie

    opie hi. OT Supporter

    Joined:
    Sep 29, 2004
    Messages:
    6,025
    Likes Received:
    0
    Location:
    AZ
    Sign up for authorize.net and use their CIM solution.
     
  10. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    Do they allow hosted payment pages?
     
  11. 05s4

    05s4 Active Member

    Joined:
    Nov 26, 2004
    Messages:
    2,424
    Likes Received:
    0
    Location:
    South Florida
    all i have to say is: cdgcommerce.com
     
  12. Astro

    Astro Code Monkey

    Joined:
    Mar 18, 2000
    Messages:
    2,047
    Likes Received:
    0
    Location:
    Cleveland Ohio
    Have you found a bank to go through to get your merchant account?

    I've setup a couple - for clients and for myself. All banks are not equal. For example, we were with bank X for a bit until they screwed us over, although it worked out in our favor and nulled the contract and we didn't have to pay the $350 termination fee (WTF?). Bank X wouldn't give us our funds until 2 to 3 business days after the transaction was submitted. After having our contract terminated, we found bank Y and now we get paid in 24 hours or less (nice!). Plus, the fees are more reasonable and lower too.

    Long story short: shop around and see what % the banks are looking for for merchant accounts. They vary and you may find a good deal elsewhere.

    Ask them tough question - A transaction goes through, when do you see it in your account? Which payment gateways do they support? What costs are you going to have to pay to get setup? How long will it take to get setup? (again, bank X took 2 months, bank Y was up in 3 days). For the payment gateway, will they set it up for you or do you have to do that yourself?

    The bank will likely ask you some questions like how many transactions do you plan to do. What will be the average transaction size? How much do you plan to do during a month/year? etc. Oh, you will need a tax ID before you can open a business account, which is what you need to get hooked up with the merchant account.

    PCI compliance is a pain. I'm not sure if every bank is doing this, but now you have to pay for the privilege of them scanning your server. They take inventory of what is running on there and usually get some of it wrong.
     
  13. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    Whats with this bank stuff? I plan on using http://www.instabill.com with a foreign bank account. Its going to be considered "high risk", so I doubt Id get approved by a bank.

    As far as I know, they handle everything, and make deposits into any bank account of your choice.
     
  14. LowClass

    LowClass New Member

    Joined:
    Sep 5, 2007
    Messages:
    890
    Likes Received:
    0
    Location:
    USA
    I think you have to be PCI DSS compliant if you are storing complete card numbers. If you are using a pass through like authorize you are still under some rules but since yu are not storing anything its a little easier to get through, obviously you have to have an SSL and everything though. I have two merchant accounts currently.
     
  15. LOLZILLA

    LOLZILLA New Member

    Joined:
    Jul 11, 2004
    Messages:
    97,923
    Likes Received:
    0
    I have done this for multiple clients.

    So far, it's been fairly easy. More than anything the party applying needs to pass their requirements (credit check). As far as the website goes, you have to show that it's ready to roll, have an SSL installed. A cpl of the places simply wanted Terms & Conditions, Refund/Exchange/Return policy posted on the site and you'd be GTG. They ask if you're using a shopping cart, so if you are, just make sure it's ready to roll.

    As far as having separate servers for DB and files, I haven't run into that, but if you want to get technical, mysql in itself is a server and so is apache. lol
     

Share This Page