13

My wife and I run an online business. For a long time we would accept credit cards over our website, and cash or bank drafts in person. However, as time went on my wife picked up the Square to process credit card payments in person and our customers really like this.

Due to the nature of our business (much of the furniture is custom) we don't take the entire payment upfront. We might authorize one amount, capture 60%, and when your goods arrive we re-authorize for the remaining 40%. This is pretty standard and works well. Except some folks aren't keen on meeting up in person for the remaining 40%, and we don't have an option to handle that extra 40% through our website (it would expect a new order).

I've been noticing some of the customers sending such details through email. Some were cautious, sending the number and the dates/cvv code from separate email addresses. Others not so much. Either way, it's not a stellar practice. I brought it up to my wife last night, and she didn't really get why I was making such a big deal about it - after all, she deletes the email as soon as its processed. I said "what if you lost your phone today?" and it clicked in that being insecure for "just a few days" isn't okay, especially if you almost always are in the "just a few days" stage with someone.

At the same time, it would be a pretty poor practice to say "We can't do this thing that's super convenient for you because we can't trust my wife not to lose her phone." - that's basically what our customers would hear. So keeping in mind that we can't rely on our customers being tech savvy at all, what can I use as leverage to convince my customers to not reveal their credit card data over email?

I've read this one about unsolicited emails but the recommendations are vague - "institute a policy", okay. * waves hands * we no longer accept these emails. But, when we are first discussing payment terms, they are likely to ask "can I send you my CC data over email" and when we say no, they will ask "why not"? What can I tell them that doesn't make us look irresponsible and convinces them that it would be best to do it in person with an actual swipe, or if it must be remote, to call us and we can enter it while on the call and it never needs to be recorded anywhere?

corsiKa
  • 253
  • 1
  • 3
  • 10
  • 5
    You could tell the customers that you would be in violation of PCI-DSS standards if you accepted credit card information by email. This would a) be perfectly true and b) sounds legalese enough to make customers think that you know what you are doing regarding credit card safety regulations. – Cromulent Jun 18 '14 at 19:35
  • That would imply we are fully PCI-DSS compliant, when we aren't. For example, the fact that our POS is on a phone that uses the internet for other options fails requirement 1 of SAQ_C. It is also is a case of "because I said so" not "because it's a bad idea". I'm trying to educate, not dictate. – corsiKa Jun 18 '14 at 19:36
  • 2
    @corsiKa your customers almost certainly won't know what PCI-DSS is and don't tell them about your phone based POS. It isn't being deceptive, you're attempting to be more secure, and honestly tell them to never send a CC insecurely. I'd look into getting paypal integration as well, since you don't do CCs correctly at all, using paypal as an abstraction would be the most secure way for your customers to make a purchase. – Andrew Hoffman Jun 18 '14 at 21:02
  • Apparently my statement about not being PCI-DSS was incorrect: Square is compliant, and it would appear as long as we don't store anything we too are compliant. Also, we have Paypal on the website, but our customers don't really want to go back to the website. – corsiKa Jun 18 '14 at 21:07
  • Let me comment on the obvious. "How can I convince my customers not to send Credit Card data over email?" - you can't convince all them. Its human nature to find the path of least resistance. That's why people click through all those security warnings in a browser, even when they know (or have been told) they should not. Someone is going to send you CC information anyway because its the path of least resistance and it accomplishes their goal. –  Jun 20 '14 at 16:40

4 Answers4

6

It's very simple, when you are taking in credit card information it means you have to be compliant with PCI-DSS being a merchant. Now to make your customers understand this you need to explain to them that you are simply not allowed to take credit card details through email. Kindly refuse it, acknowledge it's annoying but nescessary and immediately destroy the email.

You are not allowed to store or accept credit card information except when it complies with the standards as detailed in the attached document. If you do so you can make yourself liable for any credit card fraud which originates from a credit cards leaked through your business.

You can also explain to your customers that they should never send credit card details via email as this may be seen as an act against due dilligence (which customers need to take into account as well).

One way of solving this is only allowing credit card payments through bank terminals or through a payment gateway like PayPal. These will take care of the liability issue.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • 3
    *"...and immediately destroy the email."* ... I LOL'ed. – tylerl Jun 18 '14 at 22:37
  • "The hackers can steal all emails" would help much more for the common non-techie person. Or maybe "The NSA steals your CC to buy their supercomputers!" – AviD Jun 19 '14 at 08:43
1

Is a service like paypal out of the question? That would allow them to send you the remainder of the balance directly without emailing their CC info to you. There will be a fee associated, but I would think it be worth the additional security and peace of mind.

Besides keeping the CC info out of your inbox (which you are deleting) it also keeps it out of the customers SENT box. (which they probably aren't clearing)

enter image description here

UPDATE

While this doesn't specifically answer your question, I do feel it is the "end game" solution as opposed to a work around.

It would involve changes to your website/mobile app.

Please review:

https://developer.paypal.com/docs/integration/mobile/make-future-payment/ (mobile)

https://devtools-paypal.com/guide/ap_preapprove_payment (web API)

This will allow the customer to pay the up front portion of the bill while consenting to allowing you to charge the remainder at a future date.

k1DBLITZ
  • 3,953
  • 15
  • 20
  • We offer paypal on our website, but that suffers the "duplicate order" problem. Also, these customers are looking to avoid going back to the website. They already made their purchase, why should they go back? (That's their perspective.) As an aside, this doesn't answer the question of "convincing them" - this is more "you must do this". – corsiKa Jun 18 '14 at 21:03
  • Not to mention PayPal's high rates and poor customer service. (Its great for customers, though, as long as they don't need support). –  Jun 20 '14 at 16:11
0

If it were me, I would start by sending a kind email stating or explaining to them in person that you appreciate their business. However, due to the insecure nature of emails, which can be intercepted (See Wikipedia about emails being sent without encryption) that it's in both your best intrests not to send the data over email as somebody else could read the data and make fradulent purchases. I would also explain that you do not store credit card data due to PCI compliance and have a third-party handle credit card transactions.

Also, you could attach an encrypted PDF (my utility company does this) and send it to them which could just be the password of their zip code or another means of identification. I know it is possible to have the PDF send the payment information. You can find several guides on how to integrate a PayPal button into them or see my link about Stirata below. This way your customers can still pay "by email" but you won't have to receive their credit card information directly.

Update: It looks like my utility company uses Striata for their PDF billing solution.

Travis Pessetto
  • 670
  • 3
  • 6
-3

There are 2 issues here. The first one is that you are willing to take responsibility for what a not-so-bright customer does. The other one is, well, that some customers are not bright.

Let me tell you how I would handle it. When you first get the email address from the customer, you send them an email thanking them for their business and right there in bold letters, you can tell them to only pay via a website or in person and not via email. If in the future they still email you their credit card number, then you are covered because you warned them.

If out of the blue, a new customer sends you their credit card number via email, then thank them and direct them to the website or in person next time because their ISP or internet connection is not secure.

schroeder
  • 125,553
  • 55
  • 289
  • 326
edsanz
  • 1
  • 1
  • I can't accept this. This is about actions. I need to convince people that their action is bad. We're going to draft the policy on it, but we want to be able to *justify* that policy in terms our customers can understand. – corsiKa Jun 18 '14 at 19:35
  • 1
    In short, emphasize that it's their end that's not secure. You are the recipient and before the email gets to your phone it passes by a dozen unsecured networks. Even if your wife deletes the email, it is still sitting inside the Sent folder of the customer and it can still be stolen from there. – edsanz Jun 18 '14 at 19:37
  • 1
    @corsiKa why not say, "Because email is an inherently insecure medium, we cannot accept credit card information this way. For your safety, please use our website or [insert other method]"? You could even mention that they shouldn't email their CC info to any other sites because it's a bad practice. – Eric Lagergren Jun 18 '14 at 19:45
  • I appreciate your concern with the customer and you are trying to teach them the Internet is not secure. I wish all store owners were like you. The thing is we have been trying to teach the same thing to people for more than 20 years and they still do what they want. We need to continue teaching them and let them decide their actions on their own. – edsanz Jun 18 '14 at 19:46
  • 2
    -1 you clearly do not know what PCI-DSS entails – Lucas Kauffman Jun 18 '14 at 20:49
  • 1
    You are definitely not covered just by warning your customers. If you are the victim of a databreach and it can be tracked to your business, you can be held accountable for the breach and ANY fraud which occured with credit cards stolen in the breach if it's proven you did not store data in accordance to PCI-DSS. – Lucas Kauffman Jun 18 '14 at 20:57
  • -1, for not understanding the applicable laws you claim to understand – Lighty Jun 19 '14 at 07:18
  • You really need to work on your reading abilities. Did you read my first sentence and raced to comment? I never cliamed to be talking about PCI-DSS the security standard/framework (keyword here is framework). In fact the question was not about PCI-DSS compliance. The man in fact said he doesn't even want to mention PCI-DSS because it would imply that he is compliant when he thinks he is not. But you would have read that if you spent the time. – edsanz Jun 19 '14 at 13:33
  • 1
    The issue is with the line "then you are covered because you warned them". Covered from what? Covered in what way? – schroeder Oct 07 '21 at 15:19