These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for If you take credit cards in your billing program on the new forum.
you need to read http://www.virtualmin.com/documentation/id,pci_compliant/
I just wrote this to help others that need to become PCI Compliant as this will be enforced June 2009.
To be short if you have your own billing program like WHMCS and you take credit cards you must be PCI compliant by the end of May 2009 or face fines and your merchant account disabled.
If you only take PayPal or any other like services you do not need to follow this. This excludes PayPal PayFlo which is still a virtual credit card terminal and you must be PCI Complaint.
nice writeup.. i dont understand why you need to disable imaps and pops thought - surely logging in via ssl is more secure than sending passwords plain text?
<b>cyberthom wrote:</b>
<div class='quote'>nice writeup.. i dont understand why you need to disable imaps and pops thought - surely logging in via ssl is more secure than sending passwords plain text?</div>
Which is why ftp should not be used unless absolutely necessary and only using TLS. And disable every program you do not need. The less running the better you are.
Yeah, another industry "Shakedown".
They tried it a few years ago and so many people called the various industry scammers involved (such as First Data Corp) to complain about all the BS that the entire (US) merchant processing industry realized they weren't going to be successful enforcing it and had to give up the scam!
Most of the industry players who voted to try this on us were also trying to sell $900 "website compliance audits" and etc... But if they had kept at it they'd have had no small customers left because nobody could afford to implement the compliance they wanted.
I intend to ignore it and complain loudly to whomever tries to do the finger shaking.
In the worst case scenario, it's unlikely they would cancel your account... hehe... that's how they make their money... no, instead, they will just threaten to cancel it then the transactions will "degrade", ie., they'll use this as an excuse to charge you more for the transactions in question.
Besides, If they don't want your money just use overseas processors... Perhaps you are young or perhaps new to the business world, but trust me, overseas processors don't care what phony "regulations" industry players in the US are trying to puff up by creating the illusion that they exist. They don't. If that were true, you'd never be able to process Visa transactions in the very countries where most Visa transactions originate from and are processed in! There's ALWAYS somebody out there who will be more than happy to swim in your upstream and fish in your downstream!
It's all BS.
My processor didn't even warn me. They took $129 out of my account and sent a notice in email that I had until end of May to comply or my merchant account would be closed. At least it was only $129 and not the thousands others have been scammed from and getting PCI compliant for me is rather easy to do.
I don't know anyone that actually likes the merchant services industry. ;-)
I think that as soon as we're able we're going to move all of our transactions to Amazon payments, PayPal, and Google Checkout, and not use Authorize.net and merchant services at all. The rates for Amazon and Google Checkout are actually better than what we get from our merchant provider, anyway. PayPal is more expensive than I like, but at least the level of fraud is dramatically lower (almost zero), so it saves us time. And all of those companies care at least a little bit about customer service and treating their customers like human beings. The merchant services industry is just hateful to buyers and sellers alike, and the sooner we're rid of them the better, as far as I'm concerned.
--
Check out the forum guidelines!
HAHA... well, that shows you what an anti-regulation old man I am... I just went and read your write up. Actually those look like rules everybody should probably already be compliant with, not the more ridiculous ones they tried to play on us a few years ago.
All in all, though, I still agree with my cyincal post of a few minutes ago... this is is just another step by the industry to grant themselves unlimited authority to degrade your transactions.
$$$Cha-ching$$$
I called VISA bitched them out for scamming merchants like. I told them this is exactly like strong arm robbery and that is a felony so what makes them above the law.
Oh and I have no time to find out overseas processors anyways. If I knew of any off the bat that took US clients I would go there.
Maybe that is something we should have in the wiki ?
Figures... so, they RETROACTIVELY degraded your transactions?
I'd sue them.
Who's your processor and provider if you know?
1st National Processor out of Calabasas, California
Oh and my transactions were never degraded. At least I don't see anything odd in my statements from them.
OUTRAGEOUS. YES, it is EXACTLY that... a scam... they've done this in the past as well... and the entire industry just loves to jump on the bandwagon.
The amount they hit you for probably isn't worth suing for and they know it... but it's unlikely they'll cancel your account if they are profiting from it, instead, they will just find a way to "offer" you transactions processed at a new, crappy degraded rate.
Welcome to the scummy scummy business world!
I thought google was more then normal processors ?
Currently I am paying 2.2% on all visa, mc and discover charges and pay a flat fee of $5.95 with AMEX.
I don't do a ton of business - only about $4,000 a month but I have a lot of expenses as well. $1500 for servers and related stuff and I have a part time employee plus my normal business expenses so my real profit per month is maybe $700-900 on a good month.
<div class='quote'>I thought google was more then normal processors ?
Currently I am paying 2.2% on all visa, mc and discover charges and pay a flat fee of $5.95 with AMEX.</div>
You're getting a much better rate than we are, on average. We get a range of rates based on several variables, but we end up paying the highest rate most of the time, since our customer base is remote, we never have card present or a signature or even a telephone confirmation, our current shopping cart and Authorize.net can't selectively do address verification (and international cards never pass address verification, so we can't turn it on for everyone or we'd end up turning away 50% of our business). Anyway, we pay about 3.75%+$0.30 for most of our transactions, though the low end of our rate is 2.mumble%.
If the process of setting up a merchant services account wasn't such a damned nuisance, I'd shop around some. But, the whole business is stuck in 1986. Everything has to be done via fax or phone or mail. It's crazy and the kind of thing that just makes me feel angry and frustrated whenever I have to deal with it.
The rates at Amazon are actually pretty good, and they also handle fraud better. I'm leaning that way, though our new shopping cart doesn't have support for it yet. I've pinged the developers to see if we can encourage them to add it.
--
Check out the forum guidelines!
This was the best processor I could find out there so far -> http://www.advancedmerchantgroup.com/ with the best rates if you interested. Talk/email to Errick, he is my contact there and its a family run one so you get a better response from them.
I got setup in less then a day too. If you do get a merchant account with them tell them I sent you so I can get a finders fee LOL
I assume the $100+ bucks they hit you for was to retroactively degrade transactions they processed this year at a better rate to a worse rate... that's a guess, but a good one, because I know for a fact that's how they operated in the past with several of us...
I don't think any of my transactions were degraded. I just looked at all my statements for the past year and the rates have not changed.
I assume that with processors like iTransact, Authorize.net, and LinkPoint we could avoid much of the problems by not rolling our own cart, or at least, processing the payments on THEIR ssl site.
Of course, that's not gonna change the lack of card swipe that's typical of Electronic Commerce.
If there's a way they can make another .002 per transaction, they're gonna. I like PayPal and Google, they're definitely good for business, but, don't people have to create accounts and etc? That can be a deal killer if that's the only type of processing available if you sell the kind of low priced trinkets like I do. The more payment types available = the more payments received.
To me, it's worth it... but I could DEFINITELY see dumping it all together if I could. I'm surprised you need merchant processing at all with virtualmin sales though... why not just take checks and paypal?
Tried checks -- those bounce and its a $25 fee each time for that I pay each time so not worth it and paypal is a rip off with there fees.
<div class='quote'>I'm surprised you need merchant processing at all with virtualmin sales though... why not just take checks and paypal? </div>
I'm not as worried as Scott about bounces...but the cost of processing checks in my time is <i>way</i> too high. There's a reason many big software shops will only do PO+check orders for some minimum amount (for Red Hat is $3000, for example). If there's anything I hate more than having to make a phone call to deal with something it is having go to the bank to have to do something. I hate our bank now that it's been acquired by Chase.
But, we could probably get away with only taking PayPal and Google Checkout and Amazon FPS. Out of those three, I'd guess that 90% of our potential customers already have an account, and at least some of the remaining 10% won't mind signing up for one.
We'll keep card processing going for another few weeks, most likely, but something really has to give. The price we pay for our card processing is higher than all but PayPal, and the fraud protection is non-existent. And, of course, any communication we have with them has to be via telephone or fax. And they mail out chargeback notifications. Who does that? Who still sends out paper mail about digital events? It doesn't even make sense.
I'd actually be curious to know what folks prefer for paying for Virtualmin. I'll never make PayPal the default or only payment method (it's just too expensive), but if nobody had any objections I could see moving to offering Amazon FPS, Google Checkout, and PayPal, and no direct card processing.
--
Check out the forum guidelines!
Joe why don't you contact AMG, I gave the link a few posts back ? They got a really good deal for card processing.
I don't use paypal because the fees are stupid high and most of my clients are in the EU and the cross border fees suck. Google isn't much better either when it comes to rates. I get more money back using my processor.
AMG offers fraud checking and so does Authorise.net which is who I go through and AMG resells authorize.net and I got a great deal on that as well.
Got any questions related to AMG and my processing Joe and I'll answer them.
<div class='quote'>Joe why don't you contact AMG, I gave the link a few posts back ? They got a really good deal for card processing.</div>
Because the rates are not my biggest complaint about our current processor. I also dislike Authorize.net (we currently use Authorize.net with our current processor). I'm talking about the whole experience if merchant services, and I don't get the feeling from AMG's website that they are any different.
When I have a problem with our merchant services company I have to pick up the phone. I <i>hate</i> picking up the phone. In fact, every day that I have to pick up the phone to call someone is a bad day for me.
When I need to make a change, I have to fill out and fax a form to them. I don't even own a fax machine, and haven't physically laid hands on one in over ten years. I have a scanner, and a fax service (specifically for interacting with the merchant services people, and no other reason), but I don't want to. If I never send or receive another fax in my lifetime, that'd be fine with me.
I've had a look at AMG's website, and they're not giving me any confidence that I'm going to be able to handle my business with them entirely online. If I can't, then it's not worth the hassle of changing. I'd just be angry at someone else (like you for recommending them!). ;-)
Yes, I'm paying too much, and yes, PayPal is even more. But, if it takes me an hour every week to go over our transactions and make sure things are sane, and to deal with chargebacks and deal with refunds and such, it's already costing me more to use the merchant services provider than even PayPal; and Google and Amazon FPS are pretty close to parity. A 1% or 2% difference isn't going to change that. I want a fundamentally different experience than any merchant services provider I'm aware of is willing to offer...I'm willing to pay more for that fundamentally different experience.
A friend of ours has just started a company (and raised some money) to build out a payments service, and I'm keeping tabs on what he's up to. And, there are some other modern payment gateway providers (that require no fax machines). I just need to spend some time researching them.
Going from one Authorize.net+merchant services provider to another does not seem like a useful way for me to spend my time. ;-)
Anyway, on the fraud front, the new shopping cart is a wee bit better than the previous one, but we still can't take advantage of the best fraud prevention features because it would prevent us from taking overseas orders, and it is an on/off thing at Authorize.net.
--
Check out the forum guidelines!
The only time I had to fax AMG anything was the application, after that any issues I had I just emailed Errick and he took care of it.
With everyone else I had issues with I was forced to call them about it.
<div class='quote'>The only time I had to fax AMG anything was the application</div>
Already failed, in my book.
What if I need to change bank accounts? If they can't securely accept the application online, I think it's safe to assume they won't have a secure form for updating payment information.
Chargebacks: Do they mail them to you? Fax? Or can you get and respond to them online? (Note that only the last one is an acceptable option for me.)
I'm not trying to be an ass...I'm sure AMG is great at what they do. But what they do is not the kind of service I need. My current crop of "big problems" includes dealing with all the crap that comes from doing a bunch of small transactions every month, and that number is climbing, so it's not getting any easier. I could pay an assistant to come in a couple times a month and help out, or I can pay a little more for each transaction and have the task go dramatically faster. I suspect hiring an assistant would cost a lot more than an extra point or two on my transaction fees.
--
Check out the forum guidelines!
i simply use paypal and banktransfers for buying and selling.
Whenever I buy online I use paypal. If the company is in the Netherlands/Belgium I use Ideal if they offer it.
It may be a bit more expensive but it reduces a lot of hassle, saving time and money in the end. If I can't buy with paypal, I wont buy (unless you have Ideal)
So Ideal is I think a typical Dutch system. It's telebanking within a layer of the website you're buying, muchlike paying with paypal. It's tremendously safe. The website you buy from never gets your credentials even if they wanted to. Most webshops in NL use it as it is trusted by consumers (also the first thing I look for).
I never have nor will use CC to pay online.
<div class='quote'>This is WorldWide and not just North America.</div>
a). Credit card companies cannot levy fines.
and...
b). There is no such thing as a law that is applicable 'worldwide'.
That said, credit card companies do have the power to close your merchant account with their (and only their) particular credit card brand, obviously. :)
Credit card companies levy the fines against the bank processor who in turn levies the fine against you and/or disables your merchant account.
Yes there is such a thing as worldwide seeing that VISA is worldwide and therefore can enforce their agreements. PCI is a worldwide standard if you don't think it is email them and tell them they lie.
Only takes a bit of thinking to understand that.