付款处理器 - 如果我想在我的网站上接受信用卡,我需要知道什么? [英] Payment Processors - What do I need to know if I want to accept credit cards on my website?
问题描述
这个问题讨论了不同的支付处理器及其成本,但我想知道如果我想接受信用卡付款,我需要做什么?
This question talks about different payment processors and what they cost, but I'm looking for the answer to what do I need to do if I want to accept credit card payments?
假设我需要为客户存储信用卡号,因此依赖信用卡处理器来完成繁重工作的明显解决方案不可用.
Assume I need to store credit card numbers for customers, so that the obvious solution of relying on the credit card processor to do the heavy lifting is not available.
PCI 数据安全,显然是存储信用卡信息的标准,具有一堆一般要求,但是如何实现它们?
PCI Data Security, which is apparently the standard for storing credit card info, has a bunch of general requirements, but how does one implement them?
那么供应商呢,比如 Visa,他们有自己最好的实践?
And what about the vendors, like Visa, who have their own best practices?
我是否需要使用密钥卡访问机器?如何在物理上保护它免受建筑物内的黑客攻击?或者,如果有人拿到了带有 sql server 数据文件的备份文件怎么办?
Do I need to have keyfob access to the machine? What about physically protecting it from hackers in the building? Or even what if someone got their hands on the backup files with the sql server data files on it?
备份呢?周围是否有这些数据的其他物理副本?
What about backups? Are there other physical copies of that data around?
提示:如果您有商家帐户,您应该协商他们向您收取交换加"而不是分层定价. 通过分层定价,他们将根据使用的 Visa/MC 类型向您收取不同的费用——即.他们会向您收取更多附有丰厚奖励的卡.交换加计费意味着您只需向处理者支付 Visa/MC 收取的费用,外加固定费用.(Amex 和 Discover 直接向商家收取自己的费率,因此这不适用于这些卡.您会发现 Amex 费率在 3% 范围内,而 Discover 可能低至 1%.Visa/MC 在2% 范围).这个服务应该帮你协商(我没用过,这不是广告,我不隶属于该网站,但非常需要此服务.)
Tip: If you get a merchant account, you should negotiate that they charge you "interchange-plus" instead of tiered pricing. With tiered pricing, they will charge you different rates based on what type of Visa/MC is used -- ie. they charge you more for cards with big rewards attached to them. Interchange plus billing means you only pay the processor what Visa/MC charges them, plus a flat fee. (Amex and Discover charge their own rates directly to merchants, so this doesn't apply to those cards. You'll find Amex rates to be in the 3% range and Discover could be as low as 1%. Visa/MC is in the 2% range). This service is supposed to do the negotiation for you (I haven't used it, this is not an ad, and I'm not affiliated with the website, but this service is greatly needed.)
这篇博文给出了一个 处理信用卡的完整纲要(专门针对英国).
This blog post gives a complete rundown of handling credit cards (specifically for the UK).
也许我的问题表述有误,但我正在寻找以下提示:
Perhaps I phrased the question wrong, but I'm looking for tips like these:
- Use SecurID or eToken to add an additional password layer to the physical box.
- Make sure the box is in a room with a physical lock or keycode combination.
推荐答案
我不久前在我工作的一家公司经历了这个过程,我计划很快在我自己的企业中再次经历这个过程.如果你有一些网络技术知识,那真的还不错.否则,您最好使用 Paypal 或其他类型的服务.
I went through this process not to long ago with a company I worked for and I plan on going through it again soon with my own business. If you have some network technical knowledge, it really isn't that bad. Otherwise you will be better off using Paypal or another type of service.
流程从获得一个商家帐户开始 设置并绑定到您的银行帐户.您可能需要咨询您的银行,因为许多主要银行都提供商户服务.您可能能够获得交易,因为您已经是他们的客户,但如果没有,那么您可以货比三家.如果您计划接受 Discover 或 American Express,它们将是分开的,因为它们为他们的卡提供商家服务,无法绕过这个.还有其他特殊情况.这是一个申请流程,请做好准备.
The process starts by getting a merchant account setup and tied to your bank account. You may want to check with your bank, because a lot of major banks provide merchant services. You may be able to get deals, because you are already a customer of theirs, but if not, then you can shop around. If you plan on accepting Discover or American Express, those will be separate, because they provide the merchant services for their cards, no getting around this. There are other special cases also. This is an application process, be prepared.
接下来,您需要购买一个 SSL 证书,当信用卡信息通过公共网络传输时,您可以使用它来保护您的通信.有很多供应商,但我的经验法则是选择一个在某种程度上是品牌名称的供应商.他们的知名度越高,您的客户对他们的了解就越好.
Next you will want to purchase an SSL certificate that you can use for securing your communications for when the credit card info is transmitted over public networks. There are plenty of vendors, but my rule of thumb is to pick one that is a brand name in a way. The better they are known, the better your customer has probably heard of them.
接下来您需要找到一个支付网关来使用与您的网站.虽然这可以是可选的,这取决于你有多大,但大多数时候它不会.你需要一个.支付网关供应商提供了一种与您将与之通信的 Internet 网关 API 对话的方法.大多数供应商通过其 API 提供 HTTP 或 TCP/IP 通信.他们将代表您处理信用卡信息.两个供应商是 Authorize.Net 和 PayFlow Pro.我在下面提供的链接包含有关其他供应商的更多信息.
Next you will want to find a payment gateway to use with your site. Although this can be optional depending on how big you are, but majority of the time it won't be. You will need one. The payment gateway vendors provide a way to talk to the Internet Gateway API that you will communicate with. Most vendors provide HTTP or TCP/IP communication with their API. They will process the credit card information on your behalf. Two vendors are Authorize.Net and PayFlow Pro. The link I provide below has some more information on other vendors.
现在呢?对于初学者,有一些关于您的应用程序必须遵守什么才能传输交易的指南.在进行所有设置的过程中,有人会查看您的站点或应用程序,并确保您遵守指南,例如使用 SSL,并且您有关于用户提供给您的信息的使用条款和政策文档为了.不要从其他网站窃取这个.想出你自己的,如果你需要聘请律师.大多数这些事情都属于迈克尔在他的问题中提供的 PCI 数据安全链接.
Now what? For starters there are guidelines on what your application has to adhere to for transmitting the transactions. During the process of getting everything setup, someone will look at your site or application and make sure you are adhering to the guidelines, like using SSL and that you have terms of use and policy documentation on what the information the user is giving you is used for. Don't steal this from another site. Come up with your own, hire a lawyer if you need to. Most of these things fall under the PCI Data Security link Michael provided in his question.
如果您打算存储信用卡号,那么您最好准备好在内部采取一些安全措施来保护信息.确保存储信息的服务器仅供需要访问的成员访问.像任何良好的安全性一样,您可以分层做事.放置的层数越多越好.如果您愿意,您可以使用密钥卡类型的安全性,例如 SecureID 或 eToken 来保护服务器所在的房间.如果你买不起钥匙扣路由,那么使用二键法.允许有权进入房间的人签出一把钥匙,连同他们已经携带的钥匙.他们需要两把钥匙才能进入房间.接下来,您使用策略保护与服务器的通信.我的政策是,唯一通过网络与它通信的是应用程序,并且该信息是加密的.服务器不应以任何其他形式访问.对于备份,我使用 truecrypt 来加密备份将保存到的卷.任何时候数据被删除或存储在其他地方,然后你再次使用 truecrypt 来加密数据所在的卷.基本上,无论数据在哪里,都需要对其进行加密.确保获取数据的所有过程都带有审计跟踪.使用日志访问服务器机房,如果可以的话,使用摄像头等等……另一个措施是对数据库中的信用卡信息进行加密.这可确保数据只能在您的应用程序中查看,您可以在其中强制谁查看信息.
If you plan on storing the credit card numbers, then you better be prepared to put some security measures in place internally to protect the info. Make sure the server the information is stored on is only accessible to members who need to have access. Like any good security, you do things in layers. The more layers you put in place the better. If you want you can use key fob type security, like SecureID or eToken to protect the room the server is in. If you can't afford the key fob route, then use the two key method. Allow a person who has access to the room to sign out a key, which goes along with a key they already carry. They will need both keys to access the room. Next you protect the communication to the server with policies. My policy is that the only thing communicating to it over the network is the application and that information is encrypted. The server should not be accessible in any other form. For backups, I use truecrypt to encrypt the volumes the backups will be saved to. Anytime the data is removed or stored somewhere else, then again you use truecrypt to encrypt the volume the data is on. Basically where ever the data is, it needs to be encrypted. Make sure all processes for getting at the data carries auditing trails. use logs for access to the server room, use cameras if you can, etc... Another measure is to encrypt the credit card information in the database. This makes sure that the data can only be viewed in your application where you can enforce who sees the information.
我的防火墙使用 pfsense.我使用紧凑型闪存卡运行它并设置了两台服务器.一种是用于冗余的故障转移.
I use pfsense for my firewall. I run it off a compact flash card and have two servers setup. One is for fail over for redundancy.
我发现了 Rick Strahl 的这篇博客文章,它对了解电子商务以及通过网络应用接受信用卡需要什么.
I found this blog post by Rick Strahl which helped tremendously to understand doing e-commerce and what it takes to accept credit cards through a web application.
嗯,结果证明这是一个很长的答案.我希望这些提示有所帮助.
Well, this turned out to be a long answer. I hope these tips help.
这篇关于付款处理器 - 如果我想在我的网站上接受信用卡,我需要知道什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
