hey there ppls...
I remember a while ago there was a thread about people using their EFPOS machine to process internet orders (MOTO function). Someone mentioned that the receipt prints the full credit card number - I've been going through this recently and have been looking for a solution and was wondering if anyone had come up with anything? I tried ringing the bank (Commonwealth), they told me it was incredibly insecure, and there was nothing I could do about it. So - does anyone know anything else? Any hints?

Thanks,
~barbara~

Hi

All current EFTPOS terminals should now be printing truncated card numbers - If your machine is printing FULL card numbers, you should contact your Merchant bank and get it updated.

haha it's working now :) ...

I just wanted to know if you have any firsthand experience with the Commonwealth EFTPOS machines - I thought that they should be truncating them, but I did ring the bank and (after spending a decent amount of time on hold), they told me there was nothing they could do. I'll be ringing them again, but wanted to check if you personally knew about Commonwealth machines.

Thanks,
~barbara~

Hi

From what I was told by westpac ALL terminals should now be printing truncated card numbers (infact they forced all users of old terminals to upgrade for this reason)

... It may be worth another call to comm bank.. see if you can upgrade your terminal to a later model.

Hi

From what I was told by westpac ALL terminals should now be printing truncated card numbers (infact they forced all users of old terminals to upgrade for this reason)

... It may be worth another call to comm bank.. see if you can upgrade your terminal to a later model.

Just a follow up - after many phone calls to Commonwealth, we have been told that this is not possible - we have the newest terminal. If we print a receipt using the standard facilities (i.e. the card and cardowner are in front of us, we swipe the card, etc etc), the numbers are truncated, however if we use the MOTO facilities (i.e. taking credit card details over the phone or net), then the credit card number is not truncated. They have told me that this is flat out not possible.

I'd love to confirm with any others out there - is anyone else using a Commonwealth Terminal - and does it behave like this? Or is there a way to truncate the numbers?

Furthermore, can anyone confirm, if they are using a different banks terminal, that the receipt DEFINETLY truncates the numbers (for mail order transactions). David has said Wespac will do it - I'd like to compile a list so that I can look into other banking options.

Thanks,
Barbara

as David said, Westpac (and I'm told all others are meant to) hide a large centre segment of all credit card numbers, whether they be swiped or MOTO.
their charges are reasonable - about 1.2% in our case - maybe thats good, maybe its bad - not sure, but i'm happy with their service and charges

St George bank certainly do hide the card numbers when entered manually or mine does anyway.However as i have just found out they Certainly do not like you manually inputting card nos into your eftpos machine .This apparently is a breach of there guidelines and could result in the merchant facility being revoked.
So if you are doing it i would keep it kind of quiet.

i had succesfully used this method for six years (unaware that i was doing wrong)without any problems,and only ran into trouble when i applied for another eftpos machine for a 2nd retail outlet,
i have had a couple of sleepless nights as they have withdrawn my moto facility and at this stage been told not to process any sales from the net.and been referred to head office.
And today been informed that i am able to keep my merchant account But must use Eway or similar to process online sales.

Hi

The banks merchant agreements are (in my personal opinion) very contradictory.

Card Not Present transactions can happen in many ways - Over the phone, Via fax, mail order and now that technology permits - over the internet.

Infact, many some banks (westpac) include monthly information brochures about processing internet based payments on the terminals.

Perhaps your particular agreement was different than most due to the type of industry your in?

For the banks, there is absolutly no difference in security processing via a terminal or via a real time gateway like eway. Me thinks its just their way of getting two lots of monthly fees out of you.

First I've heard of this. St George knew when I signed up for my terminal that I was only using it to process my internet transactions, they said it was no problem. That was less than 2 years a ago.

I agree. However, there are now much stricter rules in regards how credit cards are received and stored. My bank would not let me receive cards from ezimerchant and process them into my EFTPOS machine manually. Unless I could show them the 2048bit encryption (minimum) and proved my ezimerchant site is hosted on a dedicated server with insane security. They gave me a heap of stuff on the new PCI DSS to read.

But I've been able to stay receiving card payments and processing them manually through my EFTPOS terminal but I had to go through http://e-path.com.au. as my gateway. This one and http://payecom.com.au are the only two the bank would allow me contine to handle payments on the net without gong to a real time gateway - and I really didn't want to do that.

It took ages for my developer to get it to work but its a killer. No transaction fees, very secure and about the cheapest approved solution out there. I very happy with it.

Cheerio

bringing up an old topic... but anyone that has a cc machine in aus, and uses MOTO, and has the number truncated, would you mind telling me:
-what bank are you with?
-what is the model of your machine (is usually on a sticker, under the machine)

thanks heaps :)

We have thoroughly reviewed the services that e-path and payecom provide with a view to integrating ezimerchant with them. We came to the conclusion that they are manual credit card processing services, not merchant facility providers. In other words, they provide a single service which is one of many provided by ezimerchant (the manual credit card payment method). We struggle to see the value that would add to ezimerchant customers. Why would anybody pay 2/3 of the cost of ezimerchant to an additional provider when the result would be a complication of the checkout process without any benefit gained. Likewise a migration would be pointless even though it would save 1/3 of the cost of ezimerchant, it would solve only a tiny part of the problem that ezimerchant solves. How would you manage your catalogue and content? How would you calculate freight? How would you prevent fraud? A secure transaction is not a fraud free transaction - ezimerchant gives you fraud data with every credit card order. How would you manage yor orders, customer relationships, promotions, gift vouchers amongst other things? How would you streamline your shipping process? All of these things are handled by ezimerchant.

bringing up an old topic... but anyone that has a cc machine in aus, and uses MOTO, and has the number truncated, would you mind telling me:
-what bank are you with?
-what is the model of your machine (is usually on a sticker, under the machine)

thanks heaps :)


Barbara

We just received our new Bendigo GoPos machine (branded CADMUS Ltd) it is mobile in that it users the Optus Mobile Network and certainly truncates CC numbers. The cost was a few $$'s more per month than our Online MOTO facility, no we don't pay the call or data costs.

I hope that this helps?

Regards

Grahame
www.woodworksupplies.com.au

And yet again I am resurrecting an old topic...

This is still a concern for me - we are still using Commonwealth machines (the business owner doesn't want to change), and they still do not truncate the numbers. I've looked into the newest machines (we no longer have the latest available, they were supposed to upgrade ours at the end of last year...), but they also do not truncate the numbers (even though I was assured they did).

So my question today is - when sending out an order, does everyone include a copy of the eftpos receipt? Do you have to (legally?)? Any other sites where I can check up on this?

Currently, when we send out an order, we send with it:
- the invoice/packing slip printed from the computer
- a cash register receipt (this is mainly for our benefit, to ensure the order total has gone through the cash register)
- an eftpos receipt (duplicate copy, we keep the original, in case there are any probs)

But I'm thinking on changing it so that we don't send the eftpos receipt, merely write on the invoice the (eftpos) transaction number. Opinions?

I cannot see any need to send the eftpos reciept.

We have a single hole punch,
When a MOTO receipt is sent we punch out 3 - 4 holes so the number is removed / manually truncated you could say. It works, its fast and safe.

A

There is a definite shift away from manually handling credit card data. This is being driven by the payment card industry (Visa, MasterCard, Amex, Diners Club, JCB, etc) under the PCI DSS (Payment Card Industry Data Security Standard (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml)). This shift is likely to result in some short term inconsistency in bank policies as they juggle sometimes conflicting pressures such as the need to compete with the management of risk.

There is no doubt though that regardless of bank policies, PCI DSS will change many merchants business processes in relation to handling of credit cards, particularly for online transactions. The primary factor impacting that change will be the requirement of every merchant to be PCI DSS compliant. The process to become compliant will vary based on business processes. Every merchant will need to complete a Self Assessment Questionaire (https://www.pcisecuritystandards.org/saq/instructions.shtml). Which questionaire depends on a number of factors including whether or not merchants physically process and store credit card data. Merchants undertaking PCI DSS compliance will find that eliminating the manual handling of credit cards will greatly simplify compliance, if the service provider the card data processing is outsourced to is PCI DSS compliant.

Barbara, to specifically answer some of the questions in this thread, it seems very surprising that the Commonwealth bank would still supply terminals which print the full card number on the receipts. This basically makes it impossible for you to become PCI DSS compliant. I would suggest challenging them on that point, particularly as your merchant services agreement probably requires you to be compliant or at the very least probably passes the risk of non compliance on to you (either directly or through more generic terms which encompass this situation). I would strongly recommend not sending the receipts with the full card number until that issue is resolved.

Barbara, to specifically answer some of the questions in this thread, it seems very surprising that the Commonwealth bank would still supply terminals which print the full card number on the receipts. This basically makes it impossible for you to become PCI DSS compliant. I would suggest challenging them on that point, particularly as your merchant services agreement probably requires you to be compliant or at the very least probably passes the risk of non compliance on to you (either directly or through more generic terms which encompass this situation). I would strongly recommend not sending the receipts with the full card number until that issue is resolved.

I have argued this point with them over and over and over again, both on the phone, and when they have come out to fix/replace machines at various times. They have swapped between saying things like "Our machines already truncate the numbers", to "It will be fixed with the new machine" to "OH no, no banks do that" (after trying to give us new machines that did not truncate the numbers). In fact we just got the latest machine only last Friday for our new shop, and it still does not truncate numbers - and I started this thread over 2 years ago!

For the moment we have decided not to send out receipts - customers still receive a tax invoice of their order, and if they request a copy of the eftpos machine, I'll arrange it, but it won't be done as a matter of course, until Commonwealth sorts this out.

I'd love to take us to an online solution, but too many of our orders are adjusted before the credit card is charged (postage adjusted, items added to order, items out of stock etc), so it just isn't really an option.

Thanks for the replies.

I'd love to take us to an online solution, but too many of our orders are adjusted before the credit card is charged (postage adjusted, items added to order, items out of stock etc), so it just isn't really an option.

That's the beauty of the new ezimerchant deferred real-time service. It allows for the adjustments you mention. In fact, the need for adjustments was a driving factor behind its implementation. The way it works is as follows:

1) A customer places an order on your site and securely provides the credit card details (the customer experience won't change at all)
2) The credit card is validated against the EFTPoS network (rather than just checked that it passes a basic algorithm as is what happens on manual transactions). This ensures it is a legitimate card with the correct expiry date and CVC number.
3) You download the order as normal. The entire balance will be outstanding.
4) You make any adjustments as appropriate (through ezimerchant). The balance is updated to reflect the change
5) You capture the funds by clicking "Add payment". The payment can be less than, equal to or greater than the order amount, just as you could have done with manual.

It is also possible to issue refunds through ezimerchant.

So you don't lose any of the flexibility while gaining the security of not being responsible for credit card data.