EKM Powershop goes crazy!

Discussion in 'Ecommerce Forum' started by Cathy, May 29, 2009.

Thread Status:
Not open for further replies.
  1. Cathy

    Cathy UKBF Newcomer Free Member

    120 14
    I'm sure lots of people on here may be affected by this.

    After 5pm today we received an email from EKM informing us that our payment method would no longer be supported from 1pm on Tuesday.

    Our payment method is secure receipt of credit card details to be input into a PDQ machine. I would have thought this could be the option of choice for many sellers.

    OK, I think, I have the weekend to look at the alternatives. Not impressed at the short notice but hey ho.

    Segue to 7:11pm and I receive a further email to say that actually they've decided to remove the opiton at 7pm Friday!

    Now, that is seriously taking the piss.

    I'm sure I can't be the only website manager who was looking forward to a little Friday chillout time. But sadly this was not to be.

    The situation escalated quite rapidly from there. No support telephone available, no live chat support available and then blocked out of our account totally til we can speak to them ie at 9:15am tomorrow (assuming we can get through, which seems highly unlikely)

    Check out their forums. Like to post. No, not possible. Register, avtivate the email but still not allowed to post.

    EKM are pretending that they only found out about PCI compliance this afternoon at 3:30pm. That is simply unbelievable.

    Choose to use this platform for your ecommerce venture with extreme caution.
     
    Last edited: May 29, 2009
    Posted: May 29, 2009 By: Cathy Member since: Dec 29, 2007
    #1
  2. cmcp

    cmcp UKBF Newcomer Free Member

    3,337 856
    I was under the impression EKM were ordered by VISA to implement these changes.

     
    Posted: May 29, 2009 By: cmcp Member since: Jun 25, 2007
    #2
  3. AntonyChesworth

    AntonyChesworth UKBF Newcomer Free Member

    17 0
    This is a decision we have been forced to make because of various customers failure to comply with the PCI standards. Some of these customers (who cannot be named) are facing very large fines (£20,000+).

    If you continue to not comply with PCI you too could face fines of anything between £10,000 up to £80,000. Basically putting most shops out of business.

    So in an attempt to protect our shop owners from such fines we are removing the ability to do anything that could cause you to fail these guidelines and working on some other solutions to the problems.

    I would advise all ecommerce merchants (regardless of platform) to check over the PCI documentation and check you are being secure because if your storing card details online you may have problems.
     
    Posted: May 29, 2009 By: AntonyChesworth Member since: Apr 5, 2009
    #3
  4. Wayne-SAF

    Wayne-SAF UKBF Newcomer Free Member

    17 3
    Antony. You are one of the largest providers in the UK for ecommerce shops. Why has this not been picked up before?

    I now have to post a message on my homepage explaining why customers cannot pay using their credit cards, and why this facilty has been disabled without notice.

    I can see it now - "For the time being we can only accept Paypal and Google Checkout. We have had to temporary remove our credit card facility due to security issues with our shop provider. We were given one hours notice on a Friday afternoon before this option was removed."

    "if you have suffered credit card fraud, it wasn't our fault. Honest! Please come back and shop again soon!!"

    It doesn't look very good does it.
     
    Posted: May 30, 2009 By: Wayne-SAF Member since: Sep 17, 2008
    #4
  5. Flying Hippy

    Flying Hippy UKBF Newcomer Free Member

    325 13
    Hi there,

    I was under the impression and still am that under the Data Protection Act. It is the people that sell the hosting that are liable for the data being stored on their server whand it is their responsabilty to have 2 servers with clients stored details a few miles apart.

    If your using a payment gateway this data will be held by the 3rd party so you should not be in contact with this just the delivery address of the person.
     
    Posted: Jun 1, 2009 By: Flying Hippy Member since: Sep 21, 2008
    #5
  6. sockpuppet

    sockpuppet UKBF Newcomer Free Member

    6 0
    For those who are interested, there are plenty of alternatives to ekm that manage to offer this facility without any problems (some larger and some smaller than ekm) and are fully PCI compliant. If any of ekm's merchants are being hit with fines I would take a look at the ekm website where it rather confusingly states that they are PCI compliant when it turns out they are not and see if you have any legal recourse against them:

    ekmpowershop.com/overview_features.asp
    ekmpowershop.com/overview_features_pcidss.asp

    I am sure that the pages will be available via Google cache / other source if (when) Anthony takes the false claims down.

    Anthony seems to be trying to blame his merchants when I suspect that it is his system that is not PCI compliant. If it was just a few merchants then why take the facility off everyone?
     
    Posted: Jun 1, 2009 By: sockpuppet Member since: Apr 9, 2009
    #6
  7. AntonyChesworth

    AntonyChesworth UKBF Newcomer Free Member

    17 0
    There is alot of confusion about PCI compliance as this thread demonstrates. Firstly it is upto the Merchant to be PCI compliant not any 3rd parties... for example if you choose to print out your username and password details it isnt HP for making the printer at fault but you as the merchant for doing it.

    Likewise if you choose to upload to your hosting provider a text file full of card details its you at fault not your hosting provider.

    In our case we have found a few merchants who have been storing card details after authorisation (which is disallowed) so we are working to ensure all our customers are compliant to avoid them getting fines.

    If you have any questions or queries about this I would advise speaking to your bank and/or a PCI QAS registered company.
     
    Posted: Jun 1, 2009 By: AntonyChesworth Member since: Apr 5, 2009
    #7
  8. PayVector

    PayVector UKBF Newcomer Full Member

    595 145
    The June 1st deadline was to deal with changes that affected all Visa types. Basically unless your Merchant account is setup for recurring transactions any repeat billing may decline if you submit it as an ecommerce transaction without CV2.

    The deadline was published last summer sometime. However in defense of EKM they would not be on the mailing list to receive such notifications as they would not be a card scheme member. So unless they stumbled upon the information they would have had no way of knowing about it. I am guessing last week they stumbled upon the information.

    A couple further points here actually. First is that the deadline for ALL merchants to be PCI compliant is actually Oct 1 2009. However if you are a service provider, be it hosting, ecom payment etc if you find an operational hole that is not PCI compliant and merchants are exposed you must take immediate remedial action. Iridium in the past has had to shut down processing on a couple of Merchants, mostly because they were getting hit with large amounts of fraud, but still it was done in the end to protect them.

    OP you have stated you were using card details that were captured online and emailed or downloaded that would then be keyed into physical terminal. This has long been against the rules, were talking something like 5 years.

    I know it is being a bit harsh but it is actually the Merchant that must know the card industry rules and make sure you are following them. Most service providers will help and give guidance but it is ultimatly the merchant who must put in the work to learn them and apply approriate business pactices to ensure your safe.

    Hope this helps.
     
    Posted: Jun 1, 2009 By: PayVector Member since: Jan 8, 2008
    #8
  9. Flying Hippy

    Flying Hippy UKBF Newcomer Free Member

    325 13
    One of the first thing any IT company or any person in a position that looks at peoples address should have Data Protection Training. But this is very rare.

    3rd Party that look at the Data will have to been DPA trained and stick to the rules for all staff. i.e google or paypal same for payment gateways.

    Lots of companies make mistakes when they hire external staff that have no training in DPA and the companies themselves do not Know they have to do this.
     
    Posted: Jun 1, 2009 By: Flying Hippy Member since: Sep 21, 2008
    #9
  10. awebapart.com

    awebapart.com UKBF Ace Full Member

    2,599 706
    Very good point! Shop owners cannot simply take credit card details online and manually enter them into some other system designed for other usage, e.g. telephone or mail order cardholder not present.
     
    Last edited: Jun 1, 2009
    Posted: Jun 1, 2009 By: awebapart.com Member since: Dec 21, 2006
    #10
  11. sockpuppet

    sockpuppet UKBF Newcomer Free Member

    6 0
    Anthony I think you missed the point I would only blame HP if they had sold me a "PCI DSS Compliant" printer (I know theres no such thing), you seem to be saying there is no such thing as a "PCI DSS Compliant" online store even though that is the claim you have on your site.

    Also many other providers sell this exact thing, one example is volusion who have it stamped all over their site and they are a much larger provider than you.

    I can understand why people are confused, you are not helping, what does it mean when you say ekmpowershop is "PCI DSS Compliant" can you explain? Do you understand PCI DSS Compliance? If so what does this claim mean?
     
    Last edited: Jun 1, 2009
    Posted: Jun 1, 2009 By: sockpuppet Member since: Apr 9, 2009
    #11
  12. PayVector

    PayVector UKBF Newcomer Full Member

    595 145
    Yeah there is a shocking amount of confusion. I wrote a blog recently on PCI confusion & myths. Seriously most level 3 & level 4 merchants can get it done in an afternoon. It is actually an exercise we recommend all merchants go through sooner rather than later.

    Take 5 minutes and have a read : http://internetpaymentgateway.blogspot.com/
     
    Posted: Jun 1, 2009 By: PayVector Member since: Jan 8, 2008
    #12
  13. Wayne-SAF

    Wayne-SAF UKBF Newcomer Free Member

    17 3
    I am a EKm user, up until the last couple of weeks on the whole a happy user, but after this weekend, far less of a happy user!!

    This is a snippet of what I posted on EKM's own forum this morning.

    EKM are are no where near blamless on this. It's their system that has lead to this, and what sits uncomfortable with me, is them blaming their customers, when they don't really make it clear enough, in my opinion, that cards data should not be sorted.

    I for one deleted the card details to second the order is complete. It's always sat uneasy with me that EKM users have full access to card date on screen. Even bank staff don't have access to this information.

    And it still worries me that this text "For security purposes recommend you delete the credit card number once processed." is displayed on the order page.

    They are recommending its removed, when as we found out it is compulsery/the law to remove it. Surely this text should have been updated to "Please delete the customrs card information as soon as the order is processed. This is a requirement by law." or words to that effect, but it appears to me EKM are still not on top of things. It is not something that needs to be on a list to be done, it should have been done before the EKM checkout was reinstated on Saturday afternoon.

    Although I hope not (for my sake if nothing else), I just think EKM could be leaving themseleves wide open on this, and by passing the buck to the customers who haven't been deleting card details, while still leaving misleading text on the site. I think if challenged, they could still find themselves in deep water over this issue, and that could be bad news for everyone who uses EKM.

    So while people on the EKM forum are commenting on how well they handled this, I would agree the people on the end of the phone were excellent (I've already praised Ian who I dealt with in cutomer service), I don't think we should be patting EKM as a whole on the back yet, asthis whole issue should not have arisen, and I for one don't think its over yet.
     
    Posted: Jun 1, 2009 By: Wayne-SAF Member since: Sep 17, 2008
    #13
  14. sockpuppet

    sockpuppet UKBF Newcomer Free Member

    6 0
    Wayne,

    I just read the ekm forum (well some of them theres over 30 pages of the stuff) and I am not knocking ekm in general (but have you tried posting a link to this thread on the ekm "closed" forum I bet it will get deleted).

    My point was just how unfair it seemed to sell someone a "PCI DSS Compliant" system and then blame the user when they get a massive fine for not being "PCI DSS Compliant", and then to top it off remove the functionality from all your users at such short notice - for what reason? is there a problem with the system or not?

    As a merchant I would have thought a good way to protect myself against these fines was to go shopping for a "PCI DSS Compliant" piece of software (why doesnt the software simply delete the credit card details once the order has been processed?)

    Are they taking any of the responsibility or just blaming users?
     
    Last edited: Jun 1, 2009
    Posted: Jun 1, 2009 By: sockpuppet Member since: Apr 9, 2009
    #14
  15. openmind

    openmind UKBF Big Shot Full Member - Verified Business

    4,750 864
    The very fact that the card data is stored by the software in the first place and that users even have the option to store card details is pretty worrying.

    There is absolutely no reason whatsoever for any eCommerce software to store the raw card information with the exception of the cross reference returned by the gateway to enable repeat billing.

    If a user wants to take off line credit card payments, although I could not think of a reason why, then just display a telephone number for people to call and make payment over the phone. The merchant can then use a virtual terminal to complete the transaction. Nothing needs to be stored then.
     
    Posted: Jun 1, 2009 By: openmind Member since: Sep 6, 2005
    #15
  16. DesignsOnline

    DesignsOnline UKBF Regular Free Member

    218 57
    It just invites trouble storing this kind of data, and to think that there are still some "Ecommerce" websites out there that email the credit card data to the admin when orders are placed. Makes you cringe...
     
    Posted: Jun 1, 2009 By: DesignsOnline Member since: Sep 5, 2008
    #16
  17. Cathy

    Cathy UKBF Newcomer Free Member

    120 14
    What we do or don't do or did do on EKM Powershop is now moot as Anthony decided to cancel our account on Saturday afternoon, seemingly because we had posted complaints about EKM's actions on Friday night, on the internet.

    We had asked for a 302 redirect to one of our other sites but instead our site was deleted.

    For anyone thinking of using EKM Powershop I suggest you read their Terms and Conditions very closely and consider why they feel the need to say this about their own services (from their Terms and Conditions)

    You would also want to take especial note of this part too

    And unlike a non-hosted solution when they do that (as they have proved they will) you lose everything, your site, the work you have put into it, your hosting, potentially your domain.

    I will point out that for us, the loss of our EKM shop is more of the nature of a minor inconvenience as it was a minor income stream for us but for many others it could be quite different.
     
    Last edited: Jun 1, 2009
    Posted: Jun 1, 2009 By: Cathy Member since: Dec 29, 2007
    #17
  18. nigelburke

    nigelburke UKBF Newcomer Free Member

    3 0
    I became an EKM customer some time ago, but never set up my shop as I've never had time to develop small retail sales.

    My intention was to take card data through EKM, whizz it through my Streamline POS terminal and delete the data online. I now learn through this thread that that's been illegal for 5 years!

    But if EKM sold me the service of taking card details through their system, what exactly did they think people were going to do with the card details? Just admire them? What were they selling?

    I would like someone to unpick the references to 'storing' details. I see the difference in good faith between deleting details after processing and failing to do so. But detials are actually being stored online, are they not, before processing, and during processing. Has EKM's storage of the details ever been legal?

    I have to say I liked the EKM people I dealt with, but this is a cluster*uck.

    Nigel
     
    Posted: Jun 2, 2009 By: nigelburke Member since: Feb 27, 2007
    #18
  19. openmind

    openmind UKBF Big Shot Full Member - Verified Business

    4,750 864
    Legal/illegal is a defined expression. Extremely foolish and breaching guidelines laid down by Visa and Mastercard would be better ;)

    The hoops that gateways like SagePay et al have to go through to in order to process recurring transactions are numerous and exacting. Allowing customers to store card details in a databse, encrypted or not, and then rely on good faith that they delete them is naive and foolish.

    Make your own mind up whose fault it is :)
     
    Posted: Jun 2, 2009 By: openmind Member since: Sep 6, 2005
    #19
  20. ICEY

    ICEY UKBF Newcomer Free Member

    86 15
    I'd like to see added security measures that means that different users have different levels of security. I have never felt comfortable with the fact that my web designer has access to my orders and that my staff processing orders have access to the design elements as they could accidently do untold damage. If nothing else these last few days have confirmed that a priority has to be ensuring that there are different user levels for the administration panel. This is something I have requested numerous times both by email, on the ekm forum (before I was banned this weekend) and by phone.
     
    Posted: Jun 2, 2009 By: ICEY Member since: May 14, 2009
    #20
Thread Status:
Not open for further replies.