offline processing - the basics

product9product9 Member
in Help edited December 2008
This is a very basic question... Offline processing seems like the way to go for my client's store. (A photographer who sells custom posters and photos.) They already have a merchant account/terminal they'd like to use. With offline processing (here's the basic part), do they need to use one of the FoxyCart supported merchant accounts? Or can they use any merchant account?

From what I gather in another thread, the credit card info is encrypted and stored on the FoxyCart server, to be accessed by the store owner later on. And one downside is that some merchant security features are bypassed.
Comments
  • lukeluke FoxyCart Team
    Offline processing means you're not going through a merchant account directly via FoxyCart, so you can use any merchant account you want (it doesn't have to be supported by FoxyCart since we aren't actually connecting to a gateway at all). They can use any merchant account. Your client will have to be PCI compliant, however, in order to view the customer's payment card information.

    As for the security features, the CVV2 will not be available since we're not allowed to store that information.
  • brettbrett FoxyCart Team
    Also on the security note: Like Luke said, it bypasses the gateway entirely, so you're not getting any of the standard gateway anti-fraud controls (like denying Ghanain and Nigerian IPs, confirming that the CC# is active, etc.).
  • OK, thanks for the quick response. I wanted to be sure I could tell my client they can keep their current merchant account and still use FoxyCart. (Hopefully they will transition to a supported one in the future)

    Any tips on PCI compliance?
  • brettbrett FoxyCart Team
    ControlScan has a "1-2-3" program, but the actual compliance is self-certified (for most smaller merchants). You can get more info (and the forms) here:
    https://www.pcisecuritystandards.org/

    There are others in addition to ControlScan too. Google has a bunch. We don't have anything we recommend at this point, but if you'd care to share your experiences I'm sure others would be grateful.
  • Yeah, the PCI compliance looks intimidating at first... but I did find a nice summary from your link.
    Maybe not the easiest for a little old lady to implement, but it is more understandable than some of the PCI stuff I've been looking at.

    https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

    "Build and Maintain a Secure Network
    Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

    Protect Cardholder Data
    Requirement 3: Protect stored cardholder data
    Requirement 4: Encrypt transmission of cardholder data across open, public networks

    Maintain a Vulnerability Management Program
    Requirement 5: Use and regularly update anti-virus software
    Requirement 6: Develop and maintain secure systems and applications

    Implement Strong Access Control Measures
    Requirement 7: Restrict access to cardholder data by business need-to-know
    Requirement 8: Assign a unique ID to each person with computer access
    Requirement 9: Restrict physical access to cardholder data

    Regularly Monitor and Test Networks
    Requirement 10: Track and monitor all access to network resources and cardholder data
    Requirement 11: Regularly test security systems and processes

    Maintain an Information Security Policy
    Requirement 12: Maintain a policy that addresses information security "
Sign In or Register to comment.