Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2013
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Version 1.0b of 7 May 1999
© Australian Information Industry Association Ltd, 1999
This document is (pro tem) at http://www.xamax.com.au/AIIA/CrCards.html
The Internet has created a new set of connections between buyers and sellers. The post and the telephone were important marketing innovations, but the Internet offers far greater possibilities because it creates the opportunity for businesses to deal with customers that they could never reach before. What's more, it's a medium that can excite customer interest, can close sales quickly and conveniently, and can do so cost-effectively.
One major problem with the Internet, though, is how to get paid. There are many possible solutions to the problem. But so far there's only one technique that's in widespread use, and that's credit-cards.
To enable your customers to pay over the Internet using their credit-card details, your business needs to have a basic understanding of the process that's involved. You then need to establish the appropriate arrangements with a bank, and with an Internet Services Provider (ISP).
This booklet provides you with the information you need in order to get paid on the Internet. If you already know some of this information, you may find it useful to skip directly to the particular section that you want. Otherwise, you should probably read through the booklet in the following sequence:
A credit-card transaction is an instruction by your customer for funds to be transferred into your account and charged against theirs. The instruction is given by the customer directly to you. Later, the customer will have to make a payment to their bank, typically once each month, to settle all recent transactions. The primary steps involved are shown in the following diagram.
The most common examples of credit-cards are those bearing the Bankcard, Visa and MasterCard brands and issued by Australian financial institutions. AmEx and Diners' Club charge-cards operate in a very similar manner, but the account is not held with a bank.
Face-to-face credit-card payments are referred to as 'card-present' transactions. The authority to charge is provided in person, and the card-holder signs a docket to evidence their agreement to the transaction. The data is captured, typically by making an impression from the card onto a voucher (using a manual 'flick-flack' device) and writing in the transactions details.
If the value of the transaction is above the business's `floor-limit', the merchant phones their bank, which checks the status of the card and the availability of funds. Alternatively, the data may be captured, and the checking performed, using an EFT/POS terminal. This `authorisation' process addresses the risks that the card may have been stolen or the customer does not have credit available.
A range of additional, 'card-not-present' uses of credit-cards has arisen. Card details may be provided by mail, fax or telephone, and hence such transactions are referred to as MOTO (mail-order/telephone-order) transactions. With mail and fax transmissions, a signature is provided, but it isn't written in view of the payee. With telephone transmissions there is no signature at all. It is a standard requirement that authorisation be sought for every card-not-present transaction. The risk remains that the person initiating the transaction might not be the cardholder.
Since the mid-1990s, credit-card transactions have also been conducted over the Internet. The customer sends the credit-card details as data rather than by voice. A slightly different set of risks arise. How you should manage these risks is explained below.
Here's how you can make it convenient for your customers to do business with you. There are many tools available on the Internet, but the tool that is most convenient for doing business is the World Wide Web. You need to have a web-site. Your customer needs to have a computer, be connected to the Internet, and use a web-browser.
Your customer visits your web-site, finds some information about your products or services, and decides to make a purchase. Your web-pages need to show your customers and prospects how to place an order and to pay for what they want.
Your customer initiates payment by keying their credit-card details into a web-form. Those details include the type of card (e.g. Bankcard, MasterCard or Visa), their credit-card number, the card's expiry date, and the name as displayed on their credit-card.
Your Internet Services Provider receives those details across the Internet. There are then two ways in which the next step can be performed:
The bank then arranges for the funds to be transferred into your account.
If your 'goods' can be delivered to your customer electronically, then your Internet Services Provider may be able to deliver the product automatically. (This works, for example, for software, reports, and digitised photographs). For physical goods and services, your ISP will need to communicate to you the goods that are to be despatched, and the delivery address they are to be sent to.
There is a risk that the card-holder may later seek to have the transaction charged back to you, in which case you, the merchant, may end up losing the money. This risk is much the same as it is with credit-card sales by mail and telephone. More information on how you manage the risks involved in Internet credit-card sales is provided below.
Once everything is in place, Internet-based credit-card payment is pretty straightforward, especially if you have an existing business and design the process to fit in with how you already work. The challenge, of course, is in putting the arrangements in place. This section explains the following things that you need to do:
In order to accept credit-card payments of any kind, you have to have a 'merchant services agreement' with a bank. This needs to include approval to accept credit-card details over the Internet. Note that some banks may refuse to allow you to do this.
There are two possibilities:
You're most likely to start by discussing your needs with your present bank. You may, however, need to go to some other financial institution to get the service that you want. Guidance is available on how to contact banks.
Every bank naturally protects itself against the risk of losing money, so it's likely to ask you for at least some information about:
A bank may be particularly concerned about providing these services to a brand new business, or to a brand new customer, or to a business that operates solely over the Internet. It might charge a somewhat higher fee to new businesses, or to Internet-only businesses, or for Internet transactions, than it does to established companies for transactions undertaken using a traditional medium such as an EFT/POS terminal.
You may choose to run your web-site on your own computer. If so, then you will need to have a considerable amount of technical expertise. The alternative is to use the services of a company that knows about such things. This document assumes that you choose to do it that way.
Businesses that undertake work of this kind are usually referred to as Internet Services Providers (ISPs). Some ISPs offer only simple capabilities, such as giving you a raw connection to the Internet, and providing you with an email service. If you want an ISP that can process credit-card payments electronically, you need one that has reasonably sophisticated technical and business capabilities.
The key services that you may want to purchase from one or more ISPs are the following:
Some banks may only accept connections using particular technologies or providers, so you need to check whether the services offered by your bank and your ISP are compatible.
Guidance is available on how to contact ISPs.
In addition to agreements with a bank and an ISP, you need to establish your web-site. Your web-site needs to:
In order to establish your web-site, you might choose to:
Because this is still a fairly new way of doing business, the costs are changing rapidly. The following is therefore only a very rough guide to what it might cost you:
It is stressed, however, that pricing varies enormously. You need to think through what you want, discuss it with your bank(s) and ISP(s), ask them for quotations, or for the details of their pricing-schedules., and ensure that you obtain a firm contract that specifies costs, dates, service-levels and support arrangements
As with every other way of doing business, accepting credit-card payments over the Internet involves risks. It is important that you appreciate these risks, manage your business in such a way as to minimise them, and make allowances for some level of bad debts.
The card-owner is permitted to contest any entry that appears on their statement. If they do so credibly, then the bank will credit their account, and make a so-called 'chargeback' to the merchant, with the result that you lose the money. This can arise if someone has acquired a valid set of card-details, and uses them to get delivery of goods and services from you and charge the costs against that card-owner's account. The perpetrator might be a card-thief, a member of the same household as the card-holder, perhaps a hacker who breaks into a computer that stores card-details, or even a hacker who intercepts transactions while they are in transit.
To address this risk, your bank will require you to get authorisation from it for every Internet transaction you conduct, using either an EFTPOS terminal or the telephone. For fraudulent transactions conducted during the time between the theft of the card-details, and the card being stopped, you, the merchant are likely to be the one who will bear the loss. This is much the same kind of risk as arises with mail-order and telephone-order (MOTO) transactions.
It is possible for a card-holder to authorise a payment, but later deny it. If the denial seems credible to the customer's bank, you, the merchant, are the one who bears the loss. Your chances of avoiding this kind of loss are good, provided that you can show the bank evidence that the card-holder confirmed the order, and took delivery of the goods.
This involves the fraudster inventing a plausible-sounding set of details. To make sure that you address this risk, your bank will require you to get authorisation before you despatch goods or provide services.
It is possible that your web-site may be unavailable to your customers, or the transaction-process may malfunction, or it may run so slowly that customers give up before they complete the transaction.
It's highly desirable that both your ISP and your bank provide statements about their service-levels and service-quality as part of the contract that you enter into with them. It is also advisable that your web-site explain to your customers how they can conduct business with you by telephone, as a fallback.
To protect yourself against inadequate performance by your ISP, you should ensure that you own the copyright in all aspects of your web-site, and that you have a copy of everything that you need to re-establish the site with another ISP if necessary. Naturally, to protect themselves, your ISP may seek some minimum term of contract, payment in advance, and/or a minimum period of notice from you to withdraw from the contract.
A prospect might hesitate to transact business, or a customer might complain, because they are concerned about what you do with personal data that you collect from them.
It's highly desirable that your web-site state your practices in relation to the personal data that you collect and hold. If you make such statements, you are legally obliged to comply with them. Your industry association may have a code of conduct, or a set of guidelines, which deals with this matter, and your bank may also require you to make such a statement. In addition, the Commonwealth Government and the Victorian Government have committed to passing legislation imposing privacy protection principles on the private sector.
Concern is often expressed about the security of credit-card details while they are being transmitted over the Internet. Although it does not appear that much fraud is actually committed in this manner, the risk does exist.
To address this risk, your ISP should ensure that data is transmitted in encrypted form. Your bank is likely to make it a condition of your merchant services agreement that your ISP do this.
Technically, this is referred to as 'channel encryption', and sometimes as the use of a 'secure server'. The main technology used is called `Secure Sockets' Layer' (SSL). You can tell when this is functioning because the letters 'https://...' appear in the URL window instead of 'http://...'. In addition, the margin of the browser-window displays a padlock or key. The use of this feature may result in some limited inconvenience for your customers. In particular, they may see occasional strange messages about `certificates', which they need to accept; and some very old versions of mainstream browsers and proprietary versions of browsers may not work properly.
You should ask your ISP what approach they take to ensuring that credit-card details and order data are secure during transmission over the Internet.
It is also technically feasible for a `hacker' to electronically break into a computer used to store credit-card details. Your bank is likely to require that you address this risk, by ensuring that neither you nor your ISP store collections of credit-card details on a computer that is accessible over the Internet. In any case, your ISP should implement security precautions against electronic break-ins.
The following references provide some further sources of information that may be of assistance to you in the following areas:
Copyright in this work is owned by the Australian Information Industry Association.
The purpose of the work is to assist Australian businesses to conduct electronic commerce over the Internet. Industry associations, chambers of commerce and other organisations are invited to point to this document from their own web-sites, to advertise the web-address of the document, and to mirror the document on their own sites.
These materials may be reproduced for personal use, or for distribution, and in electronic or in hard-copy form, subject to the following conditions:
In order to use these materials for profit, written approval must be gained by application to AIIA. Such licences may be subject to the payment of a licence fee.
AIIA acknowledges the assistance of the Australian Bankers' Association and of the National Office of the Information Economy in the preparation of this web-version of the Guide, and of a printed version available from @@@INSERT ORDERING URL, email and/or telephone-number.
The assistance of Sun Microsystems Australia Ltd is also acknowledged.
This Guide was prepared for the Australian Information Industry Association by Roger Clarke of Xamax Consultancy Pty Ltd, Canberra.
Australian Information Industry Association
Ltd, ACN: 002 360 456
12 Campion Street
Deakin Canberra ACT 2600 AUSTRALIA
Tel: (02) 6282 4700
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 40 million by the end of 2012.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916
Created: 28 March 1999 - Last Amended: v.1.0b of 7 May 1999 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/CrCards.html