Merchant fees & PCI compliant question?

[oatz]

Hey all

I'm pretty new to the world of ecommerce. Having now built my website including shopping cart, I'm looking into merchant accounts and payment processors and i'm just after some final advise please?

1) Merchant account - Streamline have offered the following:

setup fee - £150
2% visa credit 2.5% mastercard 3.1% Amex (first £5k 1.5%) and then reset
debit maestro solo 28p visa delta electron 29p
jcb 2.35%
commercial cards 3.2%
minimum monthly service charge £15

Does this sound competitive? Is it possible to negotiate the rates? (FYI I am selling clothing with a 24hr delivery and projected turnover of between £30/£40k p/a).

2) Payment processor - I'm thinking Sage pay offers the best in terms of value etc and intergrates with my Interspire shopping cart. I already have a shared SSL with my hosting company and not sure whether to go with "Form Integration" or "Direct Integration" (FYI Server Integration doesn't appear to be supported/available with Interspire). Any suggestions/pros and cons would be greatly appreciated as I am one man band and as said previously, pretty new to this game


Many, many thanks in advance

 

[alanf]

I'm new to this too, but I'm interested in the advice you get. I haven't fully created my business yet, I have incorporated it, I have got a business bank account, but I know I'll need card processing.

As far as the two options above go, I am a little confused, as it would seem that both Streamline and SagePay offer the same services, i.e merchant accounts and internet processing?

Have I miss-understood how it all works?

 

[Red Eye Media]

Sagepay are going to be your best bet as they are easier to integrate into a website and the last time I checked, they charge a flat monthly fee which will reduce your costs when you reach any kind of volume.

In regards to PCI DSS compliance, let Sagepay handle the credit cards and you won't need to be concerned about this.

Form integration is the one you want as it takes the customer to Sagepays SSL checkout pages so another saving on SSL certificates.

I hope this helps

 

[phil battison]

We're with SagePay and Barclays but because of how we're integrated we still had to pay for the PCI compliance - frankly just another way of scamming circa £200 from small businesses.

 

[onesixtyfourth]

Sagepay...they charge a flat monthly fee ...

but remember that their charging changes after you reach 1000 transactions per quarter from £20 per month to 10p per transaction.

 

[davidakerr]

The FSB/Streamline deal is better than the rates you quoted. Check out their Business Gateway 350 e-commerce service. This deal accepts all major credit and debit cards plus add-on PayPal as an extra payment method for no extra cost. These rates available to FSB Members..............might be worth a look

 

[limessl]

Form integration is the one you want as it takes the customer to Sagepays SSL checkout pages so another saving on SSL certificates.

I hope this helps

SSL certificates aren't actually "expensive", but for PCI compliance you very very likely won't be able to use shared web hosting, which many small businesses do, and getting an alternative solution is what generally costs more money.

 

[oatz]

Great, thanks for all your replies! Greatly appreciated

 

[oatz]

The FSB/Streamline deal is better than the rates you quoted. Check out their Business Gateway 350 e-commerce service. This deal accepts all major credit and debit cards plus add-on PayPal as an extra payment method for no extra cost.

Is there any chance of listing the figures please, having a bit of a nightmare trying to get much sense from the FSB at the moment, really appreciate it

Thanks

 

[oatz]

Just checked out the FSB 350 deal and I've been told this refers to the payment processor part ONLY (with worldpay) and no merchant number:

350 transactions per month for £18.95 plus VAT and no merchant number

Is this correct??

 

[limessl]

I've been offered the full internet gateway/merchant account with HSBC for £20 a month, £50 set-up fee, and 2% for credit cards and 35p for debit cards. That's for a complete start-up with no trading history (although I've had an HSBC account for over 12 months).

 

[davidakerr]

Oatz
Dont quite understand what you mean.................No Merchant Number!!! Once you have been accepted by Streamline they will issue a Merchant Number to you, which is your ID with RBS Worldpay. Can you explain further what you mean in case I haven't picked you up right.

 

[oatz]

Hi David
What I mean is the offer known as fsb 350 refers to the payment process only and is not an all encompassing merchant as well as payment processor package, all in for £18.95 per month for 350 transactions

 

[oatz]

Hi David
What I mean is the offer known as fsb 350 refers to the payment process stage only and is not an all encompassing merchant as well as payment processor package, all in £18.95 for 350 transactions. You still have to pay the merchant number costs on top

 

[oatz]

Oatz
Dont quite understand what you mean.................No Merchant Number!!! Once you have been accepted by Streamline they will issue a Merchant Number to you, which is your ID with RBS Worldpay. Can you explain further what you mean in case I haven't picked you up right.

Hi David
What I mean is the offer known as fsb 350 refers to the payment process stage only and is not an all encompassing merchant as well as payment processor package - all in £18.95 for 350 transactions.
You still have to pay merchant percentages/fees on top of this

 

[oatz]

Oatz
Dont quite understand what you mean.................No Merchant Number!!! Once you have been accepted by Streamline they will issue a Merchant Number to you, which is your ID with RBS Worldpay. Can you explain further what you mean in case I haven't picked you up right.

From reading other threads I was under the impression the fsb 350 for £18.95 +VAT per month deal was a merchant number deal and was not a payment processing deal. This is correct, no?

 

[davidakerr]

I think I know what you mean................most e-commerce transactions will have a payment processing charge and a charge for providing the "gatewayl". The PPC's vary from provider to provider, although it may be that PayPal have the cheapest overall costings, but maybe not the best in terms of service.

The FSB/RBS Worldpay Business Gateway 350 deal is for providing the gateway (£18.95 + VAT), but the PPC's, as an FSB member, are probably better than other providers if using RBS Worldpay.

 

[DS-UK]

I've been offered the full internet gateway/merchant account with HSBC for £20 a month, £50 set-up fee, and 2% for credit cards and 35p for debit cards. That's for a complete start-up with no trading history (although I've had an HSBC account for over 12 months).

I would bite their hand off as we pay that based on putting over £120k through our barclays deal. We us sage pay and barclays.

 

[stuart-193]

We're with SagePay and Barclays but because of how we're integrated we still had to pay for the PCI compliance - frankly just another way of scamming circa £200 from small businesses.

Yes - but its al a scam as they are forcing us to be responsible for their security - consider this:

We have to keep the credit card details for each transaction - this we are told is because the customer's details may be again required by us (eg. to issue a refund, etc) when actually it is the card issuer that may be questioned on the validity of the sale - in which case they need the ACTUAL PAPERWORK INVOLVED - ie the sales slip printed from your card machine. With this information, they can verify that the security (PIN) was entered correctly at point of sale and this gets them off any legal hook for responsibility for any fraud. This means we have to store that data under the law and within the guidelines of the Data Protection Act and the Privacy Act.

PCI DSS compliance is an industry regulation which sets out guards against security breaches for user information which could end up in fraud. It is the responsibility of the card issuers to enforce the self regulation - so, in true bankers style, they have added this little thing to our contracts WITHOUT our permission and made it our responsibility to secure the information taken (which indeed they need for their own security and we don't need at all) by their machine. The interesting thing is they have shoved all legal responsibility for their data onto us .. which incidentally could be viewed as a breach of several Acts protecting the public and businesses against such practices.

To answer the OP's question - you only have to have a complaint web site if you store or transmit the sensitive security details for any CREDIT CARD. For the avoidance of doubt, this means cvv number, PIN and main account number. And also includes the trasnmission of this data TO AND FROM your computer - so if you use something like worldpay or any site which keeps that data for you then you enter it into your card machine you are responsible for that data method of collection being secure upon RECEIPT AT YOUR COMPUTER (ie, you should be in a secure place when reading the data and ensure the destruction of it following use).

NO shared server can pass a PCI test. Ports to databases open and close with potential security leaks. This includes VPS and normal simple hosting packages, reseller or otherwise no matter what the platform. A secure server certificate does not affect the ports, so compliance cannot be gained by this alone. You need a completely private server really.

My advice - unless you want to use a process like sec pay or sage or worldpay etc, where you pay a yearly/monthly fee, check out googlecart or paypal as depending on the amount of transcatins you process from your web site, these can actually work out much cheaper and they are by their very nature totally compliant.

Hope this helps

 

[limessl]

No shared host can pass PCI? My own hosts seem to disagree with that...

http://www.eukhost.com/forums/f11/pci-dss-compliance-7882/

I'm using VPS and I went with EUKHost purely because I understood that it'll pass a VPS test. I've not had to have the testing done yet but I'll give you the results when I do!

 

[stuart-193]

No shared host can pass PCI? My own hosts seem to disagree with that...

I'm using VPS and I went with EUKHost purely because I understood that it'll pass a VPS test. I've not had to have the testing done yet but I'll give you the results when I do!

Yes, I'd be interested. In theory a VPS still shares the server, so ports to shared resources still open and close - whilst I was under the impression they won't pass as a result of this, to be honest I have never had one. I've always had a dedicated server for my own sites, but I do have a reseller account on a shared server and that definitely wouldn't pass. Still, not a problem if you're not storing the sensitive data.

Having said that, one of my clients sites failed because she had a buy it now link to paypal on the site - they didn't like that at all. When she removed it, so it was no longer able to sell anything at all directly, it passed on the shared server.

 

[kulture]

It is annoying to find so many different PCI "experts" posting their opinions as "facts". Things like "no shared hosting can pass PCI compliance scans".

There is also the often quoted assumption that all there is to PCI compliance is passing a scan. This is simply not true.

First the scan. I have a shared hosting account it it passes PCI scans and has passed for over a year now. That said as the PCI standards keep changing as they are being phased in, I suspect that it will be harder for shared hosting accounts to continue passing PCI scans. In the pipeline (in the US) the requirements for having card information stored behind firewalls and on a seperate machine etc make PCI compliance very expensive for the larger retailers.

To be PCI compliant you have to be able to correctly and properly answer questions on a PCI questionaire. The list of questions asked, and the procedures you should put into place, depend on the number of transactions you do in a year and whether you store credit card details in any way.

If you use sage pay form, or sage pay server interface then your web site does not see credit card information. Does not store credit card information even temporarily. This means you get to fill in the simplest questionaire and dont really need a scan, and are PCI compliant. So you can be PCI compliant on a shared hosting account.

If you use the sage pay direct interface, then the card details are being stored on your server, ifonly temporarily. This does mean you need to have your site pass the scan. This MIGHT in the future mean you have to move off shared hosting. It Might in the future put even more restrictions on you. One of these being that your "payment application" is an approved PA-DSS payment application. The hoops that this means could cost thousands.

 

[stuart-193]

It is annoying to find so many different PCI "experts" posting their opinions as "facts". Things like "no shared hosting can pass PCI compliance scans".

ok, good for you that yours passed. In theory if database ports open and close for shared resource then it doesn't fit the criteria required. That is a fact, not mine, but the testing companies that my clients have used. If I still have the emails I'll post one if them. They apparently show lenience if you are not storing sensitive data, but then there's no need for the test. We assume if you are on this thread then you intend to store sensitive data as then you will require a data storage test in which case the likelihood is your site won't pass for the reasons already stated.

There is also the often quoted assumption that all there is to PCI compliance is passing a scan. This is simply not true.[\quote]
again, this thread assumes you want to store the sensitive data. Then you need to pass the test (unless you want to risk it). If you don't store sensitive data then there is obviously no need for for you to put your site through any
test. Hence you can correctly fill in the form.

FYI. I'm no expert in PCI but I'm forced to deal with the fallout when my clients sites on my shared server fail. If they asked me BEFORE they paid for the test, then I would be able to give them the info I have posted, which is basically what I have been told by the companies who are doing the tests. I know this about a shared server. There's someone else who's going to post the result from a VPS. I thought these "facts" might help someone, but clearly it's just annoyed you from the tone of your post.

 

[limessl]

When you say "store" do you mean, for example, a site like Amazon where you can opt to keep your credit card details on file, or does "store" include a site where the card details are temporarily held using $_POST and then deleted once they've been transmitted to the payment gateway?

I was planning on going down the second route, I see no real value in allowing clients to store their card details to be honest - if I have a regular client I'd probably set them up with a credit account and sort payments that way.

 

[kulture]

Stuart, I feel that you need to read my post properly before you comment. First I stated that the supposition that a shared hosting site cannot pass a PCI scan is untrue. The simple fact is that I have several shared hosting sites and all have passed PCI scans. I am sorry that yours and your client's have not. I dont know what my host did to fix the server to allow the sites to pass, but they did.

Secondly I stated that it is a misconception that many seem to have that all you need do to be PCI compliant is pass a PCI security scan. A PCI scan is only one requirement and there are many others. Nowhere in my post did I say if I did or did not store credit card details.

Limessl, You have asked the big question. What is meant by store? To be honest I do not know. I know that there are many pundits on the internet who say that even holding the card data temporaily is considered storing it. Your best bet is to ask the opinion of whatever company you choose to use to audit you and say whether you are PCI compliant.

If you turn the question around however and ask what would happen if your server was compromised, then the fact that your server sees the credit card data means that there is a potential vunerability. Using an interface like the sage server interface removes this potential vunerability.

 

[alanc]

What is meant by store? To be honest I do not know. I know that there are many pundits on the internet who say that even holding the card data temporaily is considered storing it.

There are two issues here:

1. Store means permanent store. You are allowed to store card data, however: the DSS Assessment Procedures require you to only store card data when absolutely necessary, and when stored, it must be encrypted.

2. The scan is to ensure that any computer that handles cardholder data is adequately protected by a firewall.

Full PCI compliance assesment may involve other factors such as working practices at the site where cardholder data is handled.

 

[goringgap]

I'm new to this too, but I'm interested in the advice you get. I haven't fully created my business yet, I have incorporated it, I have got a business bank account, but I know I'll need card processing.

As far as the two options above go, I am a little confused, as it would seem that both Streamline and SagePay offer the same services, i.e merchant accounts and internet processing?

Have I miss-understood how it all works?

Sagepay can just be a credit card processor, or credit card processor and the merchant account. In most cases people stay with their business bank for merchant services but that is not necessary.

Streamline is just a merchant account provider I think. Their main partner is worldpay but they can hold on to your money for a very long time after each transaction (just ask them for their retention times!).

From my experience Sagepay works very well with osCommerce. There is a first 3 months free deal here: eshopfitters.co.uk

promo code: Eshop3M

Enjoy

 

[limessl]

There are two issues here:

1. Store means permanent store. You are allowed to store card data, however: the DSS Assessment Procedures require you to only store card data when absolutely necessary, and when stored, it must be encrypted.

2. The scan is to ensure that any computer that handles cardholder data is adequately protected by a firewall.

Full PCI compliance assesment may involve other factors such as working practices at the site where cardholder data is handled.

Alan - that's really good to know as I'm not going to store card data for any longer than it takes to complete the transaction. I have read up on the issues about the non-IT side of compliance but they do not appear to be problematic for my business set-up.

 

[alanc]

Alan - that's really good to know as I'm not going to store card data for any longer than it takes to complete the transaction. I have read up on the issues about the non-IT side of compliance but they do not appear to be problematic for my business set-up.

However, if you have computers that are in any way handling card data, then you are going to need a network scan.

 

[limessl]

The only computer that will handle card details is the web server, and I'm trusting my hosting provider will ensure that it passes the tests (they appear to be confident it will).