The usual model

(Gateway)

A merchant account sits in the middle between you and the bank

• PayPal, Google Wallet, WorldPay, Realex, NAB

• Annual/monthly fee

• Transaction fee % + fixed amount /transaction

• Multiple currencies?

– May require multiple merchant accounts

– Higher exchange rate (interbank rate + extra %)

Connects your site to the merchant account

– Collects personal information: name, address etc.

– Collects payment card information

– Validates input (hopefully)

– Passes information to merchant account

– Waits for a response from merchant

– Acts on the response: success/fail/badger???

High level – collect, validate and process user & payment information

Type 1 = Merchant collects transaction info – This is done on the merchants own site

– Usually cheaper merchant account

– PCI compliance is *mostly* merchants responsibility

Type 2 = You collect transaction info – This is done on your own site

– Usually more expensive merchant account

– PCI compliance is your own responsibility

Payment Card Industry Data Security Standard “a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.”

Who does this apply to? “PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data*. ” *not just card data

Ref: http://www.pcicomplianceguide.org/ Ref: http://www.cio.com.au/article/400300/what_pci_compliance_/

Are you PCI compliant if you just have an SSL certificate installed? i.e. HTTPS://

Even if I a fancy shmancy 1024-bit military grade SLL certificate?

Are you PCI compliant if you just have an SSL certificate installed? i.e. HTTPS://

HELL NO Not even close!

PCI compliance is a lot more than just an SSL cert.

• Install and maintain a firewall configuration to protect cardholder data

• Do not use vendor-supplied defaults for system passwords and other security parameters. Always change vendor-supplied defaults before installing a system on your network

• Protect stored cardholder data

• Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols

• Use and regularly update antivirus software. Make sure that your antivirus software remains current and actively running

• Develop and maintain security systems and applications

• Restrict access to cardholder data by business employees on a need-to-know basis only

• Assign a unique ID to each person with computer access

• Restrict physical access to cardholder data

• Track and monitor all access to network resources and cardholder data

• Regularly test security systems and processes

• Maintain a policy that addresses information security

Ref: http://www.cio.com.au/article/400303/pci_compliance_checklist/

Ref: http://www.cio.com.au/article/400306/pci_compliance_requirements_aussie_businesses/

Stripe – US & UK/Europe

– “Payments for Developers”

– No need for merchant or gateway

– API access for payment transactions

– 2.9% + 30¢ - no monthly fees

– https://stripe.com/

Pin Payments – Australia

– No need for merchant or gateway

– API access for payment transactions

– 3% + 30c + $50/month

– Flat exchange rate of 4% + interbank rate

– https://pin.net.au/

Both Stripe and Pin means YOU need to be PCI compliant.

You are storing/transmitting/processing cardholder data.

http://www.examiner.com/images/blog/wysiwyg/image/bankteller.gif (1)

http://blaze1.findmyhosting.com/display/img/elements/ecommerce-diagram.jpg (2)

http://stripe.com/ (9)

http://pin .net.au/ (10)