I'm planning an ecommerce site for a client using OS commerce on LP.  The client is in business for 15 years selling computer/electronics. He even has an unused paypal merchant account for a long time.
I'm to propose payment processing related solution to him shortly - like paypal, authorize.net etc.
But I personally think, I should install/set up  online payment processing/gateway after a while - that is after running the live store for cuple of months and the staff getting aquainted about Oscommerce admin/catalog management / order fulfilment etc .

My question is:
The OSCommerce package comes with a built in CreditCart payment module. It even does some basic verification of the card number entered. Oscommerce then stores the card detail alongwith order details in the table. Can I ask my client who is already a merchant to use this card information and charge the customer offline for couple of months till we figure out the volume and sales trends? It is like he taking a telephone order from the customer and getting the card number over phone and charging using his equipment/terminal at his premise. Is it workable solution? Any problems.
(From OScommerce security point of view, if needed, it can be configured to store half of card numbers in database and send remaining half to a designated email address).
Thanks in advance.
Vino

(I appended this earlier today, during a time sliver when the Galaxy server (which hosts Lunarforums) was being relocated to new hardware. My append, and a number of others, was lost, so I'm retyping it here. I'm a bit disappointed that LP isn't able to log and preserve posts during a server move, so absolutely nothing gets lost. If they can't, the least they can do is to shut down Lunarforums during the move so people's time isn't wasted typing in appends which will disappear.)

Vino,

I see no reason that you couldn't process credit card (CC) information offline, but I do have a few caveats:

1. Make absolutely clear to customers that you're processing offline, so that approval of a transaction may be revoked later (it's contingent on later approval by the issuing CC company). Explain somewhere your privacy policy and how it protects customer CC and other personal information. People have come to expect that CC approval is instantaneous and irrevocable, and may go ballistic on being told that their purchase is approved and then later that it's disapproved. They'll also worry about the security of their personal data.

2. Absolutely no keeping CC information beyond the time the transaction is complete and you've received approval from the CC issuer. It's unethical and in some cases illegal to hoard customer data without explicit customer permission. It is possible to save customer CC information in your site database or even in a cookie on their PC, to reduce the burden on them during a return visit, but make sure it's encrypted and you have their explicit opt-in permission to do so!

3. Encrypt, encrypt, encrypt. If you store CC information on your site, pending batch processing of transactions, encrypt your data. If you email to your local PC for processing, encrypt the email in some way so snoopers can't get at it. Customers are funny -- they tend not to accept excuses about why their personal data got into the wrong hands.

4. I'd be concerned about introducing a 4th party (the merchant who will do the processing for you) into the mix. At the least, you'll need them to sign a legal contract specifying how they'll protect customer data (CC information). Even then, if they lose or misuse this data, you're probably still on the hook for damages. I'd talk to a lawyer about this one.

Phil

I have two responses:

1)  There are a couple options to not going with a gateway/ecommerce processing service.

Paypal
Google Checkout (new as of July)

2)   Personally, I'd suggest looking at various alternatives for an ecommerce solution.  I used osCommerce and found it to be very difficult to maintain with all the modifications. 


www.usasportstraining.com