|Secure Server & E-Commerce
Normal information transfer accross the Internet such as browser-server communications, ftp and e-mail are not secure because the information is not encrypted when it is transmitted across the Internet. Thus, an interested party could conceivably read such information on it's way from the server to you if they were watching for it. In order to accept credit cards or transmit other sensitive data, you should use our secure server option. There are three components to secure on-line transactions, the third of which is optional. They are as follows:
1) Secure Server
In order to keep eavesdroppers from seeing a credit card number as it is typed into a form on a web site, the transaction must be encrypted. This is accomplished by using a method called Secure Socket Layer (SSL) protocol when transferring data between the browser and the server. To enable SSL on our systems, you must sign up for our secure server option. This adds a component to your web space called SWEB where you will place any files that you want to be encrypted when seen by a browser. Our NetMerchant shopping cart uses secure server for all operations except the shopping basket which doesn't need to be secure. Please see the NetMerchant instructions on line if you want more information on this topic.
2) Merchant Account
A merchant account provides a merchant with the ability to accept credit cards on-line or off line. It is issued by a bank or banking related institution specializing in this service. Once you have an account, you will process credit card payments using either a traditional "swipe" box, a software program or an on-line card processor if you are involved in ecommerce (the third component described below). In order to get a merchant account, we recommend that clients speak with their bank as well as a supplier we have used many times. Many of our clients use this company with no problems and unlike many banks, they understand e-commerce clearly and can provide on-line processing services for those clients who need them. Contact us for more information.
3) On-Line Processing
If most of a merchant's credit cards are accepted off-line, a merchant may wish to use a swipe box or software program to process the cards. However, if any volume is done on-line, the convenience of an on-line processor will be well worth the small additional cost. Instead of manually processing the cards, verification is done by the on-line processor and the money is automatically transferred to the merchant's bank account after 1-2 days. We use authorize.net in conjunction with our NetMerchant shopping cart. If you plan to use an on-line processor to process your cards, be sure your merchant account provider can set up authorize.net in order to avoid any special setup costs. Before you can set up an authorize.net enabled merchant account, you must have the following items available for review on your web site:
4) Using SWEB
- Refund Policy
- Privacy Statement
- Product Pricing
- Method of Delivery and Time Frame
Any file you put in the sweb folder will be encrypted when it is accessed via a web browser using "https" protocol as noted below. In order to receive sensitive information, you should write it to a data file in your password protected sweb/data folder and view it using a browser or our decryption tool as discussed below. You can use our Form or NetMerchant scripts to write information to a secure data file and send an e-mail message with everything but the card number or other sensitive information in it. Be sure to use a browser or the decryption tool to view or file-save the data. Once you have the information written to an on-line file, resist the temptation to ftp the file to yourself for processing because that, like email, would be an insecure transmission of unencrypted information. IMPORTANT NOTE: You are encouraged not to keep large amounts of credit card or other sensitive data on line. Your sensitive data should be regularly purged from our servers for an added measure of security.
Files in your sweb folder will have the address https://secure.icglink.com/yourdomain. For example, that address would be the address of a file called index.html in the sweb folder where you might ask for credit card information securely. You should store your credit card numbers in a password protected folder such as sweb/data. The data folder is password protected with your username and a password of your choosing. You may edit this password from the password management section of icglink.net.
5) Card Number Encryption
Our NetMerchant shopping cart automatically writes credit card numbers to log files in your www/data folder using an encryption algorithm. This means you can not view credit card numbers by accessing and reading the log file directly from your browser. Instead, we have built a decryption tool to access the log file and display it for you. You will need your ICG Link Admin password to use the tool. If you have never set up an Admin password, please call Customer Service and we will set it up for you.
Decryption Tool: https://secure.icglink.com/cgi-bin/secure_logview.pl
You will also need the name of your NetMerchant log file to use the tool.
6) Web Site Requirements for a Merchant Account
A website must contain the following to be approved for a merchant account:
If a website is being developed and the merchant needs a merchant number in order to complete the site, the following information can be included in the application package:
- Merchant DBA must appear prominently on the site. There should be a correlation between the DBA and the product.
- Customer service phone number must be clearly posted.
- Return/refund policy must be clearly posted.
- Delivery methods and timing must be clearly described.
- Privacy statement must be outlined.
- U.S. dollars currency.
- Product offered is clearly described.
- Page where credit card information is entered must be secure.
- Pharmaceuticals must be restricted to those who have a VIPPS certificaion stamp on their website.
- DBA site must be the same as the domain name.
- A test site with all requirements listed above and the real URL; or
- Print copies of all the pages verifying that requirements will be met for conditional approval. Once the site is up the application will be approved if all conditions are met.