Re: trouble convincing client of ecommerce security requirements

by "Lisa Bradshaw" <zibbler(at)>

 Date:  Tue, 5 Mar 2002 13:06:17 -0500
 To:  <hwg-techniques(at)>
 References:  assistance
  todo: View Thread, Original
Well, I know for myself that I won't order anything online if it is not
secure and they don't have a certificate. I imagine the majority of people
that shop online feel the same way. You could explain to your client that
they may lose a lot of potential sales because people won't feel secure
purchasing from an unsecured site.

If this doesn't work, and they insist on doing it that way, then I would
write up a contract absolving yourself from all responsibility or liability
that may occur, and that you warned them against it, and have them date and
sign it. That at least put's you in the clear, and the resposibility will
rest on your clients shoulders, not yours.

Lisa Bradshaw ,  Web Designer

Crescendo Web Design -
----- Original Message -----
From: "Missy Scott" <MBScott(at)>
To: <hwg-techniques(at)>
Sent: Tuesday, March 05, 2002 11:11 AM
Subject: trouble convincing client of ecommerce security requirements

> Morning all,
> Recently, I had a client, a non-profit org, contact me saying they had
> obtained a merchant account and would I put a form on their site to
> credit card transactions for donations, etc.  They would then e-mail this
> information to their admin.  I wrote them back and explained shopping cart
> systems and the need for a SSL and a certificate as well as the need to
> build a product catalog (they do have a couple of books and information
> resources that they sell).  I didn't hear from them for a couple of days,
> which is unusual.  Then I got this:
> <.snip>
> Missy, I contacted someone from the State Employees Federal Credit Union,
> where we keep the foundation's money, who maintain credit card
> through SEFCU on-line, and this is what he said:
> Bottom line: Visa, MasterCard, Discover and Amex DO NOT require a merchant
> to have a
> secure server, back end database, etc.
> To date not a single credit card number has been documented as stolen
> through
> the- e-mail process. However, servers which store databases have been
> attacked/hacked and broken into.
> Whether the Foundation pays $2,500 for all the security systems or not the
> consumer has zero liability for fraud when using their credit card on the
> internet. The foundation is only liable for the amount of charges they
> accept
> and process.
> This is a battle that has been waged between web-site designers and
> processors for some time now.
> The process that you proposed (capturing credit card info on your site and
> forwarding each transaction to a processor)
>  is as secure as giving your credit card over the
> phone. The merchant is the liable party and the consumer is always 100
> percent protected..
> I am sending this to clarify what Visa and MasterCard requirements are.
> <./snip>
> I am aware that the company providing the merchant service doesn't care if
> the server is secure or not.  I can't imagine just slapping up a form to
> take credit card orders and not having this blow up in my face.  I've done
> bit of research, but really haven't found anything yet that would convince
> them.   I don't want the liability and I really don't want them to have
> liability.
> Any thoughts on this?  Any experiences with ecommerce that wasn't secure?
> Thanks much,
> MIssy

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA