New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
yes i know it's not your fault that you live in a particular country poor or rich one, i have just point the diference between us and i see every day "big people" talk about eguality of people , nothing more , nothing racist.
MOTO (card not present) transactions are by definition higher risk than normal transactions. This would directly translate in higher fees for you.
If you need to process a lot of transactions, it would be much better to get a physical POS terminal and charge the customers when they arrive - a normal transaction with a card and PIN code.
some of them (at least from Transilvania bank here in romania) you can put the details manually and is fully work . IF i am not wrong is need only de 16 digit +cvv2 but tumorrow i can confirm. In this case hi can ask for this details eaven is a cellular discution and mark it manually in the POS. I am sure hi can find the same solution in his country !
VOILA ! Here is the solution , where is my room @randvegeta ? i claim my bonus 2 sisters too because nekki is sleep now !
@cociu yes, it can, work, this is called a MOTO transaction. But first, it must be allowed by the card processor (your bank in your case). And second it is an increased risk, which means you will have to pay higher transaction fees (that is if their risk assessment team approves you for MOTO transactions in the first place).
I think the risks are much lower than typical transactions.
The problem with card transaction on site is that I'm not always going to be there and I normally just use a cleaning lady to collect the money and hand over the keys. Suppose I could try and get her to use a POS machine.
But I want to be able to charge cards prior to arrival. What if someone books and is a no show? Money lost...
If you book my place, I'll make sure there is plenty of lotion for you!
They are a very much higher risk.
And what if they pay and they still do no show and simply chargeback ? This is exactly why he risk is increased.
Additionally you’ll end up doing extra PCI compliance for MOTO, likely involving the penetration testing. Meh.
Using booking.com's system. Not actually storing data. Just need to input the data into a virtual terminal app. Will do it by hand, so there is nothing to penetrate. Nothing to hack (other than booking.com).
Do you know many people who book, don't show and then charge back?
This isn't hosting or something else where you can make a quick buck by scamming some 3rd party service provider.
This is actually the real world here. I have a reasonable cancellation policy in place, so as long as they cancel the booking with some advance notice, the guest can get a full refund.
I don't think there are so many people who use their own cards to make bookings they don't intend to follow through with.
What do you mean there’s nothing to penetrate ?
What device will be used for data entry ? A PC ? That’s something to penetrate. What is it going to be connected to ? Shared network ? Then you’ll end up pentesting the entire shared network, all devices, including that smart Tv, PlayStation, etc, not also pentesting but also PCI scanning. Scanning behind NAT is usually also very much more expensive.
Oh boy, you have no idea how deep hole that quickly becomes if you can’t narrow the card environment.
The moment card dat touches any device in your responsibility you’ll need over £10k per annum to deal with it, and some more to setup as the procedures have to be written, separate devices, firewalls, switches with vlan capability, etc have to be purchsed.
It’s not so easy.
If you feel this will carry lower risk feel free to find a bank that agrees with you, I wish you wholeheartedly a lot of good luck, you’ll need it. Especially in the Eastern Europe where normally when you say MOTO this ends the discussion about your new account.
And yet Booking.com collect and pass on the data? Does that not somehow breach PCI compliance?
Securing 1 machine is not difficult. How would other devices intercept the data when the connection between the device and Virtual Terminal provider is secure/encrypted? Thinking man-in-the-middle + hacked certificates?
I genuinely hate this classification. As if Eastern Europe is somehow lesser.
It absolutely does if it passes in CVV2 which cannot be stored under absolutely no circumstances in neither encrypted nor plain text form (and without CVV2 you’re likely to face a lot of bank declines especially on international transactions, not to mention even greater risk and 0 legs to stand on in case of chargeback). If it doesn’t then they push the liability to you as a merchant.
Please read the PCI 3.2 standard, then read the applicable SAQ and then let’s return to this discussion, because after I read be above in the context of my previous response I’m now confident you have, with all due respect, no solid idea of what it involves.
I'm far more interested in how Booking.com deal with this, since they are providing plain text data of guest credit card info. CVC and all!
I'm also surprised that call centers can be legal considering anyone working at a call center can just write down the info, and the calls are usually not on 'secure' or 'encrypted' channels.
In fact I wonder how can anyone really be compliant when data gets transmitted over the internet, passing through various ISP. That is certainly no more 'secure' than a typical home or office broadband.
Not to mention there are still plenty of companies that handle orders over mail, where credit card details are provide on physical paper sent in the post! Or indeed some companies requesting credit card details over E-Mail.
How does the world function!
Well, it does and one can still be compliant with the standard while dealing with MOTO, but I guess there’s no point for me to help you here, you have made your mind up. ;-).
Just ask your bank. Every bank in this world can provide you a credit card terminal. Or use AirBNB I used to rent out 5 apartments around the world and I just get the money transferred to my bank account.
Why not create something like a web shop, where the customer goes, places his order / reservation and then is redirected to checkout to some third party payment procesor site - like paypal. Then you don't have to worry about credit card details, since they will never reach your systems.
Huh? What?
I wasn't denying what you were saying, nor making any critical comments towards you at all.
I wanted to raise some legitimate points because it certainly seems that it would be extremely difficult for anyone to be properly PCI compliant!
Consider that most hotels take CC data, INCLUDING the CVV. As I have mentioned, booking.com collect, store and pass on the data to the hotels (hosts). This sounds like it should NOT be PCI compliant, so I am wondering how they are able to do this.
You also bring up having to pentest a whole local network, in addition to the machine that will be used to input the data into a Virtual Terminal service, and yet this surprises me because I fail to see how a local network would be any less secure than a public network. Not to mention, service like Paypal, you can login to from any device and from any IP. If they offer a Virtual Terminal service, do they limit access by machine and IP? If not, that is somewhat surprising as I don't understand what the point would be to test 1 device when any arbitrary device (including a public computer in a coffee shop) could be used.
This is not a criticism of you. I am not saying you are wrong. These are genuine, and legitimate concerns.
Our LT company already has a card machine, but I don't think it can be used as a terminal for card not present transactions. Even if it could, my apartment rental is not part of the company so I could not really use it for non-company related stuff. Even if I could, VAT would be applicable, which it should not be.
I already do use AirBNB. But most bookings come through booking.com. AirBNB really isn't that great if you're a host trying to get your place fully booked. Booking is far larger and refers far more people. That's why they can command a massive 15% commission on every booking!
The point is that Booking are the ones collecting card data. I could create a page and send it to the guests prior to arrival, but since 'enabling' credit card payment via booking.com, the guests are inputting their CC info into the booking.com system. Booking then send it to us for processing. So getting people to pay through PP or some other gateway won't solve that problem unfortunately.
Companies like SumUp and iZettle takes EU merchants too (I think). 2.5% fee for CNP transactions.
EDIT: oops @WebProject mentioned that also
You can do it offline if you own the credit card company and offline is next to your database to validate the authorization.