付款处理器-如果我想在自己的网站上接受信用卡,我需要知道些什么? [英] Payment Processors - What do I need to know if I want to accept credit cards on my website?
问题描述
此问题讨论了不同的付款处理方及其费用,但是我正在寻找要接受信用卡付款该怎么办的答案?
This question talks about different payment processors and what they cost, but I'm looking for the answer to what do I need to do if I want to accept credit card payments?
假设我需要为客户存储信用卡号,这样就没有明显的依靠信用卡处理器来完成繁重工作的解决方案.
Assume I need to store credit card numbers for customers, so that the obvious solution of relying on the credit card processor to do the heavy lifting is not available.
PCI数据安全性显然是存储信用卡信息的标准,一堆一般要求,但是如何实现这些要求?
PCI Data Security, which is apparently the standard for storing credit card info, has a bunch of general requirements, but how does one implement them?
那又如何?最好的供应商,例如 Visa 习惯吗?
And what about the vendors, like Visa, who have their own best practices?
我需要对计算机使用钥匙扣访问吗?从物理上保护建筑物免受黑客攻击怎么办?甚至如果有人将备份文件与sql server数据文件放在一起,该怎么办?
Do I need to have keyfob access to the machine? What about physically protecting it from hackers in the building? Or even what if someone got their hands on the backup files with the sql server data files on it?
那备份呢?周围还有这些数据的其他物理副本吗?
What about backups? Are there other physical copies of that data around?
提示:如果您拥有商家帐户,则应协商确定他们向您收取的是交换加",而不是分层定价采用分层定价,他们将根据您使用的Visa/MC类型(例如,Visa/MC)向您收取不同的费率.他们会向您收取更多附有丰厚奖励的卡.交换加账单意味着您只需要向处理方支付Visa/MC向其收取的费用,外加固定费用. (Amex和Discover直接向商家收取自己的价格,因此不适用于这些卡.您会发现Amex的价格在3%的范围内,Discover的价格可能低至1%.Visa/MC在2%的范围). 该服务应该为您进行协商(我没有使用过,这不是广告,我'不隶属于该网站,但此服务是非常需要的.)
Tip: If you get a merchant account, you should negotiate that they charge you "interchange-plus" instead of tiered pricing. With tiered pricing, they will charge you different rates based on what type of Visa/MC is used -- ie. they charge you more for cards with big rewards attached to them. Interchange plus billing means you only pay the processor what Visa/MC charges them, plus a flat fee. (Amex and Discover charge their own rates directly to merchants, so this doesn't apply to those cards. You'll find Amex rates to be in the 3% range and Discover could be as low as 1%. Visa/MC is in the 2% range). This service is supposed to do the negotiation for you (I haven't used it, this is not an ad, and I'm not affiliated with the website, but this service is greatly needed.)
此博客文章给出了处理信用卡的完整记录(专门针对英国).
This blog post gives a complete rundown of handling credit cards (specifically for the UK).
也许我说错了这个问题,但我正在寻找这样的提示:
Perhaps I phrased the question wrong, but I'm looking for tips like these:
- 使用 SecurID 或
- Use SecurID or eToken to add an additional password layer to the physical box.
- Make sure the box is in a room with a physical lock or keycode combination.
推荐答案
不久前,我在一家我工作过的公司中经历了这个过程,我计划很快通过自己的业务再次经历这个过程.如果您具有一些网络技术知识,那还不错.否则,使用Paypal或其他类型的服务会更好.
I went through this process not to long ago with a company I worked for and I plan on going through it again soon with my own business. If you have some network technical knowledge, it really isn't that bad. Otherwise you will be better off using Paypal or another type of service.
此过程从获取 商家帐户开始 设置并绑定到您的银行帐户.您可能想向您的银行查询,因为许多主要的银行都提供商户服务.您可能能够获得交易,因为您已经是他们的客户,但是如果没有,那么您可以货比三家.如果您打算接受Discover或American Express,则它们将是分开的,因为它们为卡提供商户服务,因此无法解决.还有其他特殊情况.这是一个应用程序,请做好准备.
The process starts by getting a merchant account setup and tied to your bank account. You may want to check with your bank, because a lot of major banks provide merchant services. You may be able to get deals, because you are already a customer of theirs, but if not, then you can shop around. If you plan on accepting Discover or American Express, those will be separate, because they provide the merchant services for their cards, no getting around this. There are other special cases also. This is an application process, be prepared.
下一步,您将要购买 SSL证书,该证书可用于在公共网络上传输信用卡信息时保护通信安全.有很多供应商,但我的经验法则是从某种角度选择一个品牌名称.他们越了解,您的客户可能就越听说过它们.
Next you will want to purchase an SSL certificate that you can use for securing your communications for when the credit card info is transmitted over public networks. There are plenty of vendors, but my rule of thumb is to pick one that is a brand name in a way. The better they are known, the better your customer has probably heard of them.
接下来,您将要找到 付款网关 与您的网站.尽管根据您的身高,这可以是可选的,但是大多数时候不会.您将需要一个.支付网关供应商提供了一种与您将与之通信的Internet Gateway API进行通信的方式.大多数供应商都通过其API提供HTTP或TCP/IP通信.他们将代表您处理信用卡信息.两家供应商是 Authorize.Net 和
Next you will want to find a payment gateway to use with your site. Although this can be optional depending on how big you are, but majority of the time it won't be. You will need one. The payment gateway vendors provide a way to talk to the Internet Gateway API that you will communicate with. Most vendors provide HTTP or TCP/IP communication with their API. They will process the credit card information on your behalf. Two vendors are Authorize.Net and PayFlow Pro. The link I provide below has some more information on other vendors.
现在呢?对于初学者来说,有一些准则来指导您的应用程序必须遵循哪些准则才能传输交易.在进行所有设置的过程中,会有人查看您的站点或应用程序,并确保您遵守准则,例如使用SSL,并且您拥有使用条款和政策文档,以了解用户所提供给您的信息的使用情况.为了.不要从其他站点窃取此文件.自己提出,如果需要,请聘请律师.这些事情大多数都属于Michael在他的问题中提供的PCI数据安全链接.
Now what? For starters there are guidelines on what your application has to adhere to for transmitting the transactions. During the process of getting everything setup, someone will look at your site or application and make sure you are adhering to the guidelines, like using SSL and that you have terms of use and policy documentation on what the information the user is giving you is used for. Don't steal this from another site. Come up with your own, hire a lawyer if you need to. Most of these things fall under the PCI Data Security link Michael provided in his question.
如果计划存储信用卡号,则最好准备在内部采取一些安全措施以保护信息.确保只有需要访问权限的成员才能访问存储信息的服务器.像任何良好的安全性一样,您可以分层进行处理.您放置的层越多越好.如果您愿意,可以使用密钥卡类型的安全性,例如 SecureID 或 eToken 保护服务器所在的房间.使用两个关键方法.允许有权进入房间的人签出钥匙,以及他们已经携带的钥匙.他们将需要两个钥匙才能进入房间.接下来,您将使用策略保护与服务器的通信.我的政策是,通过网络与之通信的唯一内容是应用程序,并且信息已加密.该服务器不应以任何其他形式访问.对于备份,我使用 truecrypt 加密将备份保存到的卷.每当数据被删除或存储在其他地方时,您再次使用truecrypt加密数据所在的卷.基本上,无论数据在哪里,都需要进行加密.确保获取数据的所有过程都带有审计线索.使用日志访问服务器机房,使用摄像机,如果可以的话,等等.另一措施是对数据库中的信用卡信息进行加密.这样可以确保只能在您的应用程序中查看数据,您可以在其中强制要求谁查看信息.
If you plan on storing the credit card numbers, then you better be prepared to put some security measures in place internally to protect the info. Make sure the server the information is stored on is only accessible to members who need to have access. Like any good security, you do things in layers. The more layers you put in place the better. If you want you can use key fob type security, like SecureID or eToken to protect the room the server is in. If you can't afford the key fob route, then use the two key method. Allow a person who has access to the room to sign out a key, which goes along with a key they already carry. They will need both keys to access the room. Next you protect the communication to the server with policies. My policy is that the only thing communicating to it over the network is the application and that information is encrypted. The server should not be accessible in any other form. For backups, I use truecrypt to encrypt the volumes the backups will be saved to. Anytime the data is removed or stored somewhere else, then again you use truecrypt to encrypt the volume the data is on. Basically where ever the data is, it needs to be encrypted. Make sure all processes for getting at the data carries auditing trails. use logs for access to the server room, use cameras if you can, etc... Another measure is to encrypt the credit card information in the database. This makes sure that the data can only be viewed in your application where you can enforce who sees the information.
我将 pfsense 用于我的防火墙.我用紧凑型闪存卡运行它,并设置了两个服务器.一种是用于冗余的故障转移.
I use pfsense for my firewall. I run it off a compact flash card and have two servers setup. One is for fail over for redundancy.
我发现Rick Strahl撰写的博客帖子极大地帮助了了解进行电子商务以及通过Web应用程序接受信用卡需要做什么.
I found this blog post by Rick Strahl which helped tremendously to understand doing e-commerce and what it takes to accept credit cards through a web application.
嗯,事实证明这是一个很长的答案.希望这些提示对您有所帮助.
Well, this turned out to be a long answer. I hope these tips help.
这篇关于付款处理器-如果我想在自己的网站上接受信用卡,我需要知道些什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
