{sigh}
Dean, thanks for bringing that up, but it's not an issue in this
question. And, not to diminish your expertise in any way, but it's a
little like asking "have you figured in the cost of doing SSL over
TCP/IP into your business. Again, elementary analogy I know, forgive
please. I will explain further below.
Mike:
I've used this solution since 2000. As I stated in the email which
you reference from 2004, this is a solution which removes the middle
man (the gateway) and all associated fees. If by monthly fees you
mean a Visa/Mastercard required minimum, yes, no one escapes that -
no one! What this means is that if you don't do X amount in combined
V/MC transactions each month (whose resulting fees equal $20), they
will charge you $20 in place of the percentage and transaction fees.
If you do X amount, then your $20 min., is waived and you pay the
transaction and percentage fees instead.
Now, as for any other fees, monthly or other, no. The only fee you
pay in this set up is the per transaction fee assessed by V/MC/Amex
and Discover. Currently, my fees are:
V/MC 2.02% per trans, and .28 cents
Amex 3.25% per trans, and (I think) .10 cents
Discover 1.68% per trans, and .10 cents
This is from memory. But here is the number from my accounting ==> Of
all sales income received by Credit Card, divided into total (all,
everything) processing fees, my overall cost for this year is 2.5%.
For the cost of CFXNova, I think it's a dam* good deal. Show me a
lower number and I'll.......
Now, let's talk about PCI DSS because Dean brings up a valid point,
if not (in my stupid, retarded and humble opinion) misguided. Here
are the PCI DSS, non enforced, difficult to prove, let's all feel
good about (insert standard here), compliance points:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data -
been there done that.
2. Do not use vendor-supplied defaults for system passwords and
other security parameters - yeah, that was a no brainer
Protect Cardholder Data
3. Protect stored data - done
4. Encrypt transmission of cardholder data and sensitive information
across public networks - done (128 bit Rijndael encryption)
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software - some argument
here, as it can cause more problems than it solves.
6. Develop and maintain secure systems and applications - done: SSL,
closed ports, per file/script/page security, required log ins,
multiple app checks
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know - Yes, because
Dave in the mail room needs card data?
8. Assign a unique ID to each person with computer access - right.
Or, no let's be stupid and use admin/admin
9. Restrict physical access to cardholder data - not hard to do
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder
data - yep
11. Regularly test security systems and processes - yep.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security - yep.
Let me add a few more
13. Only store data for as long as is necessary for your business,
balanced with the need for some level of customer support (i.e.:
don't bug the customer for their card when you need to refund
something 3 days later).
14. Use actual human readable log files generated by CFXNova and
store and review on a regular basis to look for fraud.
15. Review each and every transaction, looking for CVV2 and AVS
compliance, if it's suspicious, void, refund or delete it. In some
cases, I've even contacted the issuing bank.
16. Change encryption keys on a regular basis.
Now, how much does all of that cost? Less than 2 hours per month, if
that.
Again, Dean makes a valid point. But more important is to understand
that you have some basic obligation to cover yer arse! You can store
the card data or not. But too often I see people who think that once
a transaction is completed that the card data can be deleted. Let me
give you a nice paradox for your morning coffee.
V/MC tell you not to store the data or at least say that you should
not. Funny. Because six months after a card is processed you may get
a charge back. And, since your "customer" gave you an address which
may not match the card holder address, and since you deleted the
data, you have no way of knowing which transaction is being disputed
because V/MC simply gives you a card number and an amount. You have
fun finding that one!
_____________
Derrick Peavy
Sales and Web Services
Universal Advertising
Phone: 404-786-5036
Fax: 404-370-0470
http://www.universaladvertising.com
http://www.collegeadvertising.com
http://www.collegeclassifieds.com
___________________________________
On Dec 13, 2006, at 4:23 PM, Mike Staver wrote:
I don't know I guess - I had assumed that the CC number got
transferred using this tag and I wouldn't need to store it anymore,
but perhaps I'm wrong. Is anybody using this method currently?
Dean H. Saxe wrote:
Perhaps I misunderstood. Who retains the credit card data?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or
that we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the
American public."
-- Theodore Roosevelt
On Dec 13, 2006, at 3:34 PM, Mike Staver wrote:
I'm curious to what you mean here - are you saying that Costco
isn't compliant? It was my understanding that this setup doesn't
store the CC but rather uses Costco - but maybe I misunderstood.
Dean H. Saxe wrote:
What about the costs of compliance with the PCI DSS standard?
Figure that into your equation before trying to accept credit
cards.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is
not that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Dec 13, 2006, at 3:06 PM, Mike Staver wrote:
Going way back to 2004 posts here, is there a monthly fee for
this?
Derrick Peavy wrote:
Use Costco with CFXNova
1. Join Costco at executive level ($100)
2. Apply for merchant account ($35)
3. You now have a merchant account for $135
4. Download CFXNova for 30 day trial.
5. With CFXNova, you get 2.2% V/MC @ 28 cents per transaction.
If you can
show me a lower rate, I'll buy you a cup of coffee - you
can't. This rate is
for Internet / Mail Order / Telephone. Swipe rates are as low
as 1.68%.
6. Using CFXNova and coding for certain parameters, you can get
non-qualified rates down to less than 3%. Non-qualified rates
are basically
business cards and most merchants don't tell you that your non-
qualified
rate can be 4% or more.
7. Since you are going directly from your server to the
processor (Nova),
you do not pay a middle man for gateway services as in the
case of
Authorize.net, cybercash or other services.
8. I use this solution. So far this year, my sales are at just
under
$50,000. My TOTAL credit card costs for the year to date is
$1,095.00 or,
2.2% of total sales. That includes everything to do with the
credit card
processing. I can assure you that when the dust settles, you
will not
realize such a low cost with any other solution.
9. You can download a trial of CFXNova at www.cfxworks.com
_____________
Derrick Peavy
Sales and Web Services
Universal Advertising
http://www.universaladvertising.com
http://www.collegeadvertising.com
http://www.collegeclassifieds.com
___________________________________
From: Tom Chambers <[EMAIL PROTECTED]>
Organization: Chambers Systems
Reply-To: discussion@acfug.org
Date: Fri, 14 May 2004 7:48:12 -0400
To: discussion@acfug.org
Subject: Slightly OT: Credit Card acceptence and processing
Good morning all,
Several questions regarding payments via a website.
1) Are fees fixed or a percentage of the transaction?
2) What are some suggestions for the most reliable/affordable
provider of
merchant transaction processing?
3) Any tips on what types of credit cards to not accept (for
any reason)?
Thanks,
Tom
------------------------------------------Unsubscribe from
this list by
sending a message to [EMAIL PROTECTED] with the
word unsubscribe in
the body.
RSVP at http://www.acfug.org
---
[This E-mail scanned for viruses by Declude Virus]
------------------------------------------Unsubscribe from
this list by sending a message to [EMAIL PROTECTED]
with the word unsubscribe in the body.
RSVP at http://www.acfug.org
-- -Mike Staver
[EMAIL PROTECTED]
http://www.fimble.com
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
-Mike Staver
[EMAIL PROTECTED]
http://www.fimble.com
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
-Mike Staver
[EMAIL PROTECTED]
http://www.fimble.com
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------