Hi, I am currently re-developing a site for a client, and have a problem with the way he wants to take online payments.

On his current site customers enter their order details and credit card details, they then get sent to him in an encrypted e-mail (the encryption certificate is provided by pgp.com). When he gets the e-mail he enters the details into his terminal in the shop and processes the payment that way.

I personally hate the idea of sending credit card details by e-mail (encrypted or not) and I’m not actually sure that his bank would allow him to process online payments in this way.

Does anyone know whether doing things this way is actually not allowed/illegal or just generally a very bad practice?

I’ve been trying to convince him for a week or so now to switch to a professional payment processor but he insists on doing it this way. I have found a lot of information online explaining how you SHOULD take online payments (through a dedicated 3rd party etc.) but nothing explicitly saying why this way is the wrong way.

If anyone can clarify the matter for me (whether or not this is allowed), and possibly provide a website I could quote to him that would be great.

Thanks,
Jack

I'm fairly sure that this is not illegal although if you spoke to Visa they would strongly recommend against it!

You are right, encrypted or not, he should not be sending CC details via email...

I'd say it's the "wrong way" because of the extra time involved.

If the emails are PGP encrypted then they should be secure enough.

Another way is just to notify him by email that there are new orders and provide a link to an SSL part of his site to retrieve them.

I have come across a similar situation before. I think it is highly likely he is breaking his Card Scheme agreement and could be held accountable for any fraudulent losses incurred this way.

It 0bviously depends on his own individual agreement but here is one example.

http://www.lloydstsbcardnet.com/existing_customer.asp

"A new application must be made for an Internet facility with Cardnet even if you have an existing Cardnet facility. When your Internet account is approved, you will be issued with a new Cardnet merchant number. This number must be used for Internet sales only. The reason for this is that all E-commerce transactions need to be identified separately in compliance with the Card Schemes' (MasterCard and Visa) Electronic Commerce Indicator (ECI)."

As dotnot above points out, if he checks the contract with his bank for his merchant account I would be very confident in saying it is against the terms of his contract with the bank. He would most likely need specific approval to take internet payments and/or telephone payments.

Sounds like you may have to give up your personal preference and not worry about your customers contractual commitments (just make sure he is aware of it) and just develop what he asks for.