1

We are planning to use the hosted checkout page - does it minimize our liability and security measures? In the event of hacking of our website or poor security of the website, does it affect the customer's credit card information?

If there is a fraud case, is it our liability or hosted payment gateways liability? I read that you need lot of security to use the non-hosted payment gateway.

anandmongol
  • 11
  • 1
  • In several places (as in, jurisdictions) you need to pass PCI-DSS to be allowed to host your own payment gateway (assuming that you are accepting payments with credit/debit cards). – grochmal Oct 05 '16 at 03:09
  • actually we are going to use the local bank's payment gateway, therefore if fraud happens, who holds the liability? and in case of someone hacked our website, does the customer's credit card information compromised? – anandmongol Oct 05 '16 at 03:38

1 Answers1

1

Not a lawyer, this is not legal advice.

This is a contractual issue, more than anything else. However, a principal reason for using hosted payment providers is that they handle all the sensitive payment information, not you. If it is well built, you should never even see that payment information (most redirect completely to the other site and then redirect back to you so that they can be assured as possible they are under their own control - they prevent frame embedding and so forth). If the payment processor allows you to build the form, including the CC data, and call their backend, you will likely have more liability (because you have that access - you could do something dumb like logging the data before sending it to the processor. Never do this.)

If there is a compromise, you will likely be informed by your payment provider and be the one who contacts your customers, because you are the one they have a relationship with. Even this may not be true, however.

If you want to minimize liability, do everything payment related on their site - you should be only informed that the payment was made, not any payment details. Get your contract read by a lawyer and make sure it spells out liability issues and your responsibilities and make sure that is acceptable to you.

crovers
  • 6,311
  • 1
  • 19
  • 29
  • 1
    This is good advice, but I would add that even if you can legally blame someone else in the event of a breach, you still have your own reputation to deal with (i.e. press releases with wording like "anybody who purchased xyz from anandmogul had their information stolen" regardless of who caused it). Be careful who you outsource to. – Ivan Oct 05 '16 at 14:40
  • @Johnny - I think that most of the answer focuses on the fact that it is wiser to not store or even see the data, in that scenario it is not only liability but cause that is on the processor. In the second case (accessing a processor API and write the forms yourself) I would find it pretty hard for a processor to accept liability, for the exact reason in your comment: reputation (but of the processor not of the website where the products are displayed). – grochmal Oct 05 '16 at 20:41