I really don't understand why anyone stores CC's. You don't need the number ever again after the initial transaction. Even for reoccurring transactions. Authorize.net needs only the transaction id for a refund, which can't be more than the original transaction or the API kicks back. You can also send in certain commands to their API to mark a user as reoccurring, thereby negating the need to store the CC for future use, let alone storing the CVC.
If for some reason you don't want to use authorize.net, use paypal, which also has an API, though no one seems to use it. You don't have to see a single paypal logo, and can use paypal as a raw gateway, leaving the user none the wiser that the transaction is even going through paypal.
Paypal is actually a good option to save money if you are a small startup and can't afford the high cost of a merchant account, though those costs are getting lower and simpler as every day passes.
I also find their API a little simpler to use that authorize.net. Though I have a nice library for authorize.net that I have tuned over the years to account for the hundreds of possible error codes they may return and how I will handle those cases.
Paypal is a little steep on the per transaction fee and the percentage that they take, so if micro sized payments is your game, they may not be ideal. Anything over $5.00 and you should be good. And again, with paypal, just like authorize.net, you don't need to store a credit card number ever.
It makes no sense why this is happening. It simply shouldn't be happening. And the certification is a joke. The steps that some of these CC certification companies make you go through weaken security, and are often arbitrary. But what do you do? My HOA charges a $20.00 fee to pay by credit card. This is against the terms of their merchant provider as per VISA's terms and conditions. I have tried to report it 3 times now, and give up in frustration before I ever get close to being transferred to the correct department. My HOA should have their merchant account yanked for that behavior, as should any merchant who mandates a $5.00 minimum purchase rule at the counter.
I have taken steps to protect myself by using a unique password for every site, as long as allowed. My defaults are letters, numbers, and symbols, 32 characters in length. The password manager I use will adjust down if the site can't handle the length or characters. Yet I run into sites that mandate a 6 character password of letters only. Ugh. A bank being the 6 character one.
My main protection these days is to use gift cards and pre-paid visa cards. Apple screwed my account and I will never trust them with my CC again. Not for security reasons, but because if you ever ask support a question, they seem to think you are reporting a fraud case, and blacklist your CC for life. I had a business card that was shared with 10's of users, all of which now had to create a new Apple ID password, re-enable all iCloud services, and reset a ton of stuff.
Solution? $50.00 gift cards for everyone, they can get a new one at any time the old one runs out. No more CC's in Apple's kit ever again.
For the rest of the sites, I use pre-paid visa cards that have $100.00 on them. I figure I am OK to get burned on $100.00. If the purchase is any greater, and I need the protection of a real VISA card, I may take the chance, but I will look the site over carefully.
This is a lot to ask of your average user, and I consider this the bare minimum attitude that someone should have to online purchasing.
Or, just order everything from Amazon and don't do any CC transactions with anyone else. Look at the html source of ATT.com and tell me you trust them with anything at all.
Absolutely, as I said I outsource all storing of credit card information to Authorize.net. Storing them myself is not a responsibility that I would take lightly and I'm sure they'll do a better job than me.
For passwords, while I do not force users to have secure passwords, I of course allow complex passwords (including 32 characters with any symbols and so on) because this is what I use and if there's one thing I hate, it's websites like my bank that force me to only use 6 numbers for the password.
If for some reason you don't want to use authorize.net, use paypal, which also has an API, though no one seems to use it. You don't have to see a single paypal logo, and can use paypal as a raw gateway, leaving the user none the wiser that the transaction is even going through paypal.
Paypal is actually a good option to save money if you are a small startup and can't afford the high cost of a merchant account, though those costs are getting lower and simpler as every day passes.
I also find their API a little simpler to use that authorize.net. Though I have a nice library for authorize.net that I have tuned over the years to account for the hundreds of possible error codes they may return and how I will handle those cases.
Paypal is a little steep on the per transaction fee and the percentage that they take, so if micro sized payments is your game, they may not be ideal. Anything over $5.00 and you should be good. And again, with paypal, just like authorize.net, you don't need to store a credit card number ever.
It makes no sense why this is happening. It simply shouldn't be happening. And the certification is a joke. The steps that some of these CC certification companies make you go through weaken security, and are often arbitrary. But what do you do? My HOA charges a $20.00 fee to pay by credit card. This is against the terms of their merchant provider as per VISA's terms and conditions. I have tried to report it 3 times now, and give up in frustration before I ever get close to being transferred to the correct department. My HOA should have their merchant account yanked for that behavior, as should any merchant who mandates a $5.00 minimum purchase rule at the counter.
I have taken steps to protect myself by using a unique password for every site, as long as allowed. My defaults are letters, numbers, and symbols, 32 characters in length. The password manager I use will adjust down if the site can't handle the length or characters. Yet I run into sites that mandate a 6 character password of letters only. Ugh. A bank being the 6 character one.
My main protection these days is to use gift cards and pre-paid visa cards. Apple screwed my account and I will never trust them with my CC again. Not for security reasons, but because if you ever ask support a question, they seem to think you are reporting a fraud case, and blacklist your CC for life. I had a business card that was shared with 10's of users, all of which now had to create a new Apple ID password, re-enable all iCloud services, and reset a ton of stuff.
Solution? $50.00 gift cards for everyone, they can get a new one at any time the old one runs out. No more CC's in Apple's kit ever again.
For the rest of the sites, I use pre-paid visa cards that have $100.00 on them. I figure I am OK to get burned on $100.00. If the purchase is any greater, and I need the protection of a real VISA card, I may take the chance, but I will look the site over carefully.
This is a lot to ask of your average user, and I consider this the bare minimum attitude that someone should have to online purchasing.
Or, just order everything from Amazon and don't do any CC transactions with anyone else. Look at the html source of ATT.com and tell me you trust them with anything at all.