AuctionBytes Blog
Covering auctions, collectibles and marketplace selling.

AuctionBytes Blog The AuctionBytes Blog has been giving a voice to online merchants since its launch in 2005. Named one of the world's top 30 blogs in 2008 by "Blogging Heroes." Weigh in with your thoughts on the joys and pitfalls of selling online.
Sun May 31 2009 22:02:48

eBay Checkout, Merchant Accounts and PCI Compliance

By: Ina Steiner

Sponsored Link

Last Monday, I wrote about an issue affecting sellers with merchant credit card accounts, and in particular about a seller who had a question regarding eBay's Payflow Gateway Service. Sellers who have a credit card merchant account and wish to use eBay Checkout must use the Payflow Gateway service in order to allow buyers to enter their credit card information directly in eBay Checkout.

I asked PayPal some follow-up questions.

Is the eBay Payflow Gateway PCI compliant?

Yes. The Payflow Gateway is PCI compliant.

Will eBay Payflow work with web payments pro, and what are the consequences if not?

At this time it does not. However, eBay is working on completing the implementation.

I also wanted to get more information about the circumstances under which such a merchant would choose not to use eBay Checkout if they weren't using an authorized eBay Third Party Checkout system. This is especially timely in light of the fact that some vendors are discontinuing Third Party Checkout, including Infopia and eBay ProStores, due to upcoming changes eBay is making on June 15.

PayPal spokesperson Charlotte Hill said, "We allow buyers to enter their credit card information directly and securely in eBay checkout. This is an optional feature. Merchants can continue to have buyers email / fax / call them with CC numbers outside of eBay checkout. We recommend that they switch to the Payflow integration because it will be more convenient and secure for buyers, and faster and more efficient for sellers. But we're giving them the option."

So merchants who choose not to use eBay Checkout can instead process credit cards manually. Is that feasible for the majority of sellers who have merchant credit card accounts given the extra steps required to collect and manually process credit card numbers? I contacted the merchant who originally alerted me to the issue in Monday's article. Apparently he uses Infopia, which will no longer support eBay Third-Party Checkout as of June 15. Can this merchant take credit card numbers over the phone or via fax? "We do not have the time to process orders like that and it runs completely counter to the purpose of the Web as a commercial medium."

It's important for merchants who chose not to use a checkout system on eBay to understand the legal and PCI requirements around collecting and storing credit card information.

Bob Russo, General Manager of the PCI SSC, said, "Companies cannot store unencrypted credit card data, CVV codes, pin codes/numbers or any magnetic stripe data. The PCI DSS does not permit using email or other end user messaging technologies to transmit unencrypted cardholder data. This is outlined in requirement 4.2.

"Anywhere cardholder data is stored, transmitted or processed it must be protected by the requirements of the DSS. The DSS mandates not storing cardholder data unless critically necessary and rendering any stored account data unreadable through hashing or encryption.

"Merchants may choose to accept or process card data via fax or phone, providing it is protected upon transcription and storage in accordance with the DSS. For example requirement 9 provides a host of controls to protect access to cardholder data such as securing any paper records that may contain cardholder data."

Note that there are state and federal privacy laws that encompass the storage of unencrypted data, so even if you take phone and fax orders and not email orders (which are prohibited by PCI DSS standards, according to Russo), you must be careful about how you store that data after you process the payment! (See more information on the Better Business Bureau website.)







Comments (8) | Permalink

Readers Comments

eBay Checkout, Merchant Accounts and PCI Compliance   eBay Checkout, Merchant Accounts and PCI Compliance

by: Dana

Mon Jun 1 10:59:02 2009

>

Beware of data mining!! Ebay would love to get their hands on your customer's info. Even if Paypal doesn't make their cut Ebay can still mine the info and sell it. Keepin' it sleazy Ebay!

eBay Checkout, Merchant Accounts and PCI Compliance   eBay Checkout, Merchant Accounts and PCI Compliance

by: fruity

Mon Jun 1 13:21:07 2009

Yes. the payflow gateway is PCI compliant. But is the one they stuck on ebay PCI compliant.

And what is going on with ebays glitch of not even showing the sellers merchant account.. today? I went to another seller who doesn't use pp anymore, only a merchant account and it ONLY shows a paypal account, nothing more. Same glitch they had just before they rolled out the no money orders policy.

eBay Checkout, Merchant Accounts and PCI Compliance   eBay Checkout, Merchant Accounts and PCI Compliance

by: Payments Maven

Mon Jun 1 17:28:07 2009

Did a PayPal spokesperson actually say

''Merchants can continue to have buyers email / fax / call them with CC numbers outside of eBay checkout''

Good lord, emailing or faxing credit card info is against PCI DSS as stated later in the same article. I would not turn to PayPal as a trusted consultant if that is the type of advice given.

eBay Checkout, Merchant Accounts and PCI Compliance   eBay Checkout, Merchant Accounts and PCI Compliance

by: Malcolm

Mon Jun 1 21:54:40 2009

Again, any charge card processing solution that does not support AVS and CVC, at a minimum, is not a viable solution for any merchant that accepts charge cards.  Merchants that process ''Card Not Present'' transactions, which all online transactions are, already pay among the highest discount rates.  Accepting cards without AVS and CVC would likely cause the merchant's rate to go even higher.  PayPal Payflow for eBay, in its current form, is DOA.

eBay Checkout, Merchant Accounts and PCI Compliance   eBay Checkout, Merchant Accounts and PCI Compliance

by: Phil Thompson

Tue Jun 2 14:27:26 2009

I don't know much about Merchant accounts, but it sounds like eBay is forcing folks to use Pay Pal only, by making it so difficult to accept another form of credit processing. Could this be the case?

eBay Checkout, Merchant Accounts and PCI Compliance   eBay Checkout, Merchant Accounts and PCI Compliance

by: fruity

Wed Jun 3 01:42:13 2009

Phil, of course. If they are making statements like PP will what double or triple over the next few years, how the heck they gonna do that with what's going on with the ebay marketplace. its gotta be from payment holds, reserves, interest /float and forcing PP products down everyones throat. JD wouldn't of been THAT stupid to make that statement of revenue growth

eBay Checkout, Merchant Accounts and PCI Compliance   eBay Checkout, Merchant Accounts and PCI Compliance

by: Bcarter

Thu Jun 4 07:33:13 2009

My problem is the support for Payflow is absolutely horrendous. I've had a question regarding setting up my current merchant account with Payflow for months, but cannot get an answer. I'm thinking that my current merchant account is not supported, but I do not have any definite answer.

eBay Checkout, Merchant Accounts and PCI Compliance   eBay Checkout, Merchant Accounts and PCI Compliance

by: Dat To

Thu Jun 11 12:58:47 2009

Doesn't sound like there is much choice for EBay Sellers.  Processing cards manually doesn't seem like a good option.
It's a great deal for Ebay/PayPal.  You want to sell in their system, you have to use the company that they own to process cards, or option B do it manually and have PCI issues or option C don't sell on EBay.  Seems like B & C are not real options.



Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.