2 x IMPORTANT LEGAL NEWS for UK users (perhaps others)

1)

In december 2009 - not sure exactly when, it will no longer be legal to collect (or store) credit card data online to process manually - ie offline using your physical card terminal. This will be a real blow to an awful lot of people who will now have to arrange payment gateways as well continuing to pay for thier card terminals - hats off to the bank for coming up with ever new and exciting legislation to make money from us.


2)  This will be a cart design issue

from december 2009 (again, not sure exactly when) it will be a legal requirement to have a  checkbox where customers MUST  confirm 'they have read and accept terms and conditions' before they make a purchase. I think there is a particular place on the cart where this must appear eg immediately before they confirm order or before entering card details - not sure exactly which

I will look into this more and try to confirm details ASAP


EDIT
for the checkbox, read this post :
https://www.nopcommerce.com/Boards/Topic.aspx?TopicID=2363#9037


EDIT
checkbox is configurable in v1.6

Any more info?

no, not yet. I am wanting to make sure i get definative answers from a reliable source. right now, the best i can find is from streamline - they have a section on their website about trading on the internet but obviously some of it will be their own standards rather than legal requirements but a lot of it makes sense - there are several articles and pdfs which are interesting, this one is a good start ... though the relevant stuff starts on page 5 of it

http://streamline.co.uk/support/kb/pdf/MOI_S15_SMS8885.pdf

and no, i am not trying to advertise the above company !! - as an alternative, if anybody wants, they can try trawling through

http://www.opsi.gov.uk

to help me find the relevant data to post.

i'll keep on it - but not tonight, its way past my bedtime
_

Yeah I tried going through Google and searching it all but just seems to come to a blank :o(.

Hi

Just to let you know this is known as PCI DSS Compliance.

It is very important for online retailers and could land you in hot water.

You are able to collect card details for processing, but there are a range of procedures you need to cater for.

You can find more here: https://www.pcisecuritystandards.org/

Regards

Hmmn, being a UK civil servant working in the sensistive area of personal data and its protection, I can tell you that you've never really been able to store a persons card data and use it after the initial transaction, mail order or on-line.

But of course this is trosh because most people send stuff back in the mail order world and get a refund without the need for the company to go back and get your card details.

Then of course there are companies that will regularly debit your account not using a direct debit mandate (supposedly the only legal method) and they are keeping your card details somewhere ?

What's also interesting from all this is that a key part of "distance selling" regulations in the UK, which the banks tend to stick to, is the principle of charging (i.e. processing) on-line (or otherwise) when you are not carrying the stock. Many banks will keep new merchants on a 30 day delay before crediting them to stop people being conned because of the serious concerns about this and the subsequent chargebacks. So strictly speaking if you ain't got it in stock you can't charge for it. So most mail order and e-com business should be charging only on the day of despatch which if they do (and the big ones generally do) is usually via a terminal of some sort either manual or on-line.

This is another good example of two sets of regulations (at least!) being in place or about to be in place and likely to contradict each other.

Hence UK civil servants feeling confident in having a "job for life" as they hop from one initiative to another until either all these decisions are sorted out - or more likely non of them are and they gather all the documents together and put them in the shredder ! Great fun !

It appears to be ok to store the cc data as long as you use industry standard encryption such as AES 128 or above and have your procedures fully documented. I did this for a client using the dotnet rijndael class (AES 256) but for a different ecommerce package. I'm sure the same principle could be applied.

I heard something about it directly from EU.
Anyway should be generally acceptable to ask user to acceprt terms and cond. during the registration process and to show the relevant link during the checkout.

Giuseppe

My head hurts. Great fun for the civil servants perhaps but I'm not feeling it!

Just been thinking about this and general legal stuff in response to a client request.

Client (in UK) wants to offer customers the choice between shipping all items when in stock and shipping bit by bit as available, with the shipping charge adjusted if they choose seperate consignments (presumably I'll have to code this myself).

The practicalities were concerning me (how do I know if the goods will come in when stated? how can I charge shipping based on a future unknown?) which led me to wondering about the legal issues:

Is the client allowed to collect payment upfront in this way? If he has to charge when shipped how can I implement this in NopCommerce and which payment provider is best? Then of course I wondered about point #1 written here.

NB He's selling b2b so I guess most consumer laws won't apply.

I'm an old hand at programming but a newbie to ecommerce so if anyone can shed any light on this it would be appreciated.