By Peter Bell

Know Any UK/European Credit Card Lockbox Providers?

Posted At : April 21, 2008 7:12 PM | Posted By : Peter Bell
Related Categories: E-commerce
It's possible to avoid having to implement a PCI compliant solution for credit card processing providing you don't store or process the card information. One way of doing that is a lockbox provider such as Braintree.

We have a client that needs to defer the charging of credit cards until the shipping amount is known, but can't afford to implement a PCI compliant solution in-house. We're looking for a third party processor where we can seamlessly pass a card details using a form submission to their gateway to authorize (but not charge) the card, and then get an ID back that we can use to charge the card later.

Wondering if anyone had heard of/used a solution like this?

Comments (11) | Print | del.icio.us | Linking Blogs
Comments
[Add Comment]
Peter, PCI also applies to merchants that store, process, or trasmit card data. From what you've described in your post, I think your client would still be sibject to PCI compliance because they are transmitting card data to the processor using a form submission.

Most of the bigger payment gateways offer a hosted page that you redirect the customer to for payment. Perhaps you can find one that will do an authorization only? Then you can come back later and settle the transaction later with the returned transaction identifier? One issue that could come up though is trying to settle for an amount higher than the authorization amount.

-Marc
# Posted By Marc | 4/21/08 11:38 PM
@Marc, It seems to me that the client would not be transmitting the card data so long as the form containing the card data was submitted directly to the payment processor (i.e. the form action was to http://www.whatever-payment-gateway.com). With such a setup the cardholder data would never travel to the client at all.

Say I'm an end customer in NYC. Client is in Washington DC along with their servers and payment gateway is in Utah. A blank form is transferred from DC to NYC. I fill out card details and hit submit. Transmission goes straight to Utah - never even touches the client servers, so PCI isn't an issue.

As you pointed out though, what is really needed is one of the secure lockbox style services as we need to be able to charge an arbitrary amount at some time in the future - not just auth now and settle later. Looking for european equivalent of Braintree as trying to avoid a system where the end customer has to go to a page branded by a third party such as Google or Paypal or the payment processor (e.g. RBS WorldPay).
# Posted By Peter Bell | 4/21/08 11:56 PM
Hi,

Protx support deferred transactions with their VSPDirect system.

I found it easy to integrate with - although that was with PHP and they had an integration kit for this and ASP, but not sure about other languages.

It is possible to sign up for a Protx account as a developer and use the "simulator" or "test" servers. You only have to start paying when you want to go live and you can simulate without a merchant number - not sure about the test system.

All in all, it was a nice system to integrate with, although they had some slight hiccups and support was flooded with calls when 3D secure came in, I don't think they were half as bad as the competition and when you have integrated with PayPal anything else is easy :)
# Posted By Glen | 4/22/08 6:44 AM
Now I understand, and yes, I agree that your system would be out of scope for PCI compliance. I was thinking that the form containing card data was initially being posted to your clients site and the data was then being relayed to the payment processor.

If a payment gateway offers a recurring billing service, you might be able to bend that to do what you want, but what you really want is a gateway that offers repeat payments. That's where you initiate a new transaction with the payment information used in a previous transaction (stored with the payment gateway). I don't what's available for the UK/Euro market, but I know Payflow Pro can do this. Authorize.Net and CyberSource can as well.

-Marc
# Posted By Marc | 4/22/08 10:01 AM
@Marc, Even the recurring payment doesn't usually work (at least the implementations I've seen). My generalized requirement is to be able to take ah-hoc payments out of a card - more than once, but not on a recurring basis. I have that time and time again for clients who want to be able to offer a quick checkout to returning clients but not have to store the cards and handle PCI compliance. Only solution I've seen to date is braintree as I get a token back I can use for future transactions. I came pretty close to setting up a company to solve the problem as I find it a big issue an d when more small merchants learn about PCI I think there is going to be a big push for this kind of service. I'm just trying to find a provider that can be used for UK clients as Braintree can be in the US.
# Posted By Peter Bell | 4/22/08 10:10 AM
@Glen, Thanks for the comment. According to their site VPS Direct may require PCI compliance:
http://www.protx.com/products/vsp_direct.asp

Also, while it offers deferred charges, that doesn';t work if we don't know shipping amount as we need the ability to change the total for the order before charging.

Oh well . . .
# Posted By Peter Bell | 4/22/08 10:14 AM
Peter, looks like datacash might be what you need. i have worked with them before looks like they have all the stuff you need.
http://www.datacash.com/
# Posted By Anuj Gakhar | 4/22/08 10:19 AM
@Anuj, I saw recurring, subscription and installment payments but nothing about a lock box style service or the ability to store a card and then charge some other amount at some point in the future. Are you sure they have that and if so, any idea where the info is?

Thanks!
# Posted By Peter Bell | 4/22/08 11:17 AM
@Peter, the way it works is you first do an authorization (probably 1 pence amount) and then you get the authcode. using that authcode you can then commit the transaction at a later date and at that point you can change the amount. I am sure this is what i did in one of my projects. I will try and find some info for you.
# Posted By Anuj Gakhar | 4/22/08 11:35 AM
http://datacash.custhelp.com/cgi-bin/datacash.cfg/...

If you look here, it tells you how to fulfill a transaction after you have done the "pre" whcih is auth. And amount is one of the optional parameters as in their XML example.

Might be worth speaking to their sales I would say.
# Posted By Anuj Gakhar | 4/22/08 11:40 AM
@Anuj, Great - many thanks for the information - much appreciated!!! I'll definitely check this out.
# Posted By Peter Bell | 4/22/08 11:49 AM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.005.