|Sun May 31 2009 22:02:48|
eBay Checkout, Merchant Accounts and PCI Compliance
By: Ina Steiner
Last Monday, I wrote about an issue affecting sellers with merchant credit card accounts, and in particular about a seller who had a question regarding eBay's Payflow Gateway Service. Sellers who have a credit card merchant account and wish to use eBay Checkout must use the Payflow Gateway service in order to allow buyers to enter their credit card information directly in eBay Checkout.
I asked PayPal some follow-up questions.
Is the eBay Payflow Gateway PCI compliant?
Yes. The Payflow Gateway is PCI compliant.
Will eBay Payflow work with web payments pro, and what are the consequences if not?
At this time it does not. However, eBay is working on completing the implementation.
I also wanted to get more information about the circumstances under which such a merchant would choose not to use eBay Checkout if they weren't using an authorized eBay Third Party Checkout system. This is especially timely in light of the fact that some vendors are discontinuing Third Party Checkout, including Infopia and eBay ProStores, due to upcoming changes eBay is making on June 15.
PayPal spokesperson Charlotte Hill said, "We allow buyers to enter their credit card information directly and securely in eBay checkout. This is an optional feature. Merchants can continue to have buyers email / fax / call them with CC numbers outside of eBay checkout. We recommend that they switch to the Payflow integration because it will be more convenient and secure for buyers, and faster and more efficient for sellers. But we're giving them the option."
So merchants who choose not to use eBay Checkout can instead process credit cards manually. Is that feasible for the majority of sellers who have merchant credit card accounts given the extra steps required to collect and manually process credit card numbers? I contacted the merchant who originally alerted me to the issue in Monday's article. Apparently he uses Infopia, which will no longer support eBay Third-Party Checkout as of June 15. Can this merchant take credit card numbers over the phone or via fax? "We do not have the time to process orders like that and it runs completely counter to the purpose of the Web as a commercial medium."
It's important for merchants who chose not to use a checkout system on eBay to understand the legal and PCI requirements around collecting and storing credit card information.
Bob Russo, General Manager of the PCI SSC, said, "Companies cannot store unencrypted credit card data, CVV codes, pin codes/numbers or any magnetic stripe data. The PCI DSS does not permit using email or other end user messaging technologies to transmit unencrypted cardholder data. This is outlined in requirement 4.2.
"Anywhere cardholder data is stored, transmitted or processed it must be protected by the requirements of the DSS. The DSS mandates not storing cardholder data unless critically necessary and rendering any stored account data unreadable through hashing or encryption.
"Merchants may choose to accept or process card data via fax or phone, providing it is protected upon transcription and storage in accordance with the DSS. For example requirement 9 provides a host of controls to protect access to cardholder data such as securing any paper records that may contain cardholder data."
Note that there are state and federal privacy laws that encompass the storage of unencrypted data, so even if you take phone and fax orders and not email orders (which are prohibited by PCI DSS standards, according to Russo), you must be careful about how you store that data after you process the payment! (See more information on the Better Business Bureau website.)