Credit Card Validation and Verification

In order to process credit-card transaction online, you need two things: a merchant account with a bank or other financial institution that acts as a clearinghouse, and the ability to provide a secure connection for the transmission of credit card data. We'll talk about the former here, and defer discussion of the latter to Chapter 8 (Security).

Different banks have different rules about who can have a merchant account, but once you've got one the process is pretty much the same for all of them. To obtain a merchant account you usually must have a registered business name or license, a tax or business registration number and often several years worth of accounts. If yours is a new business, a well-written business plan may also be helpful. Some banks won't permit mail or phone or internet orders on a new merchant account, and insist on a six-to-twelve-month assessment period before they will let you process mail/phone orders. Different financial institutions have differing policies; check these over carefully before signing on the dotted line. Banks tend to be especially rigorous (and sometimes even downright paranoid) with regard to Internet transactions. One beneficial side effect of this, however, is they often have a preferred solution provider, which can save you the trouble of setting up your own secure server (or of processing all your transactions manually). On the other hand, this may include a policy to the effect that if you use anything else, your transactions may be refused, or the bank may insist on going over your arrangements with a fine-tooth comb.

The following items apply mostly to manual transactions, which you'll need to do in order to handle telephone, fax and mail-in orders:

1.    Once you've obtained a merchant account, you'll receive an imprinter or electronic terminal (the former is much cheaper, the latter is easier), a merchant card (sole use of this is to imprint merchant account details on credit card slips), some phone numbers and instruction manuals, and the stationery required for your imprinter so that you can do deposits, credits, and so forth. If you anticipate a large volume of these transactions, you can usually obtain telephone order pads rather than the single-transaction slips usually seen  these will help streamline the process because much of the information you need to include or imprint on single-transaction slips is pre-printed on these.

2.    You'll be given a "floor limit" (the maximum amount you can process without authorisation, although you can get authorisation for every transaction if it makes you feel better). You'll probably be charged a percentage of each sale which can range anywhere from around 2.5% up to 4.9%; the high end of this range tends to be the rule with new accounts. Some processors will charge you a per-transaction flat fee  depending on your business model and average prices of your products, this might be a better or worse deal for you than a percentage of your sales. You should definitely shop around and see what's available before making a commitment in this regard, whether you're looking for your own merchant account or a one-stop-shop service provider (some of whom will still require that you have your own merchant account in any case).

3.    You'll also receive a monthly list of invalid card numbers of all types which will not be processed due to their being expired, stolen, lost, closed, and so forth. You'll be expected to check all transactions to ensure the card isn't listed. If you process a listed card without getting authorisation, it won't be honoured, and you'll have to cover out of your own pocket.

4.    If the amount of a sale is over your floor limit, phone the merchant authority number and request an authorisation. If you don't get this, don't make the sale. Try again the next day or contact the customer; sometimes it's just a glitch in banking system, but again, it may not be. Don't try to second-guess the bank  the bank holds the purse strings. Follow their instructions and policies to the letter.

If your business or that of your employer or client is relatively small, we recommend that for "live" Internet credit card transactions you use whatever system your bank provides or that you enter into an agreement with a third-party processor. In this way you minimise your overhead. You'll also help protect yourself from being liable in the event of major fraud or a breach of security.

We'll meet up with some of these issues again in Chapter 8, when we discuss security issues.

Credit Card Form Display

Different financial institutions have different policies regarding the information they require about a credit card and cardholder before they'll authorize an online sale. At a minimum they'll require the cardholder's name as it appears on the card, the account number, and the expiration date. Some issuers are beginning to include an extra numeric or alphanumeric code on the back of the card but this practice is not (yet) universal. Some require complete address verification, although an increasingly common practice is just to check the cardholder's ZIP code or postcode against what's in the account's billing records.

it's often the case that a customer wishes to have items shipped to a different address than his actual billing address, we'll obtain the complete billing address. If you use a third-party provider such as PayPal or iBill, this form will reside upon the provider's server but should look something like what we show here.