If you don't store CC numbers -- i.e. you use your gateway to store that information -- does it make the merchant account application process any easier?
In my experience, the bank will trust you if you say that you've implemented a secure, PCI-DSS way to store credit card details. They'll also trust you if you say that you store the numbers on the gateway.
The important thing is to convey that you're aware of the issues, and you've dealt with them.
There is a liability issue with storing card numbers on your own servers, which, iirc, is that if you are breached, the numbers are stolen, and you are subsequently investigated and found not to be in compliance with PCI-DSS, you could lose your merchant account.
Yeah, well if you're not compliant with PCI-DSS then I wouldn't have too much sympathy if that occurred! The rules are not onerous or arbitrary, in fact PCI-DSS reads like Chapter 1 of "Information Security for Dummies".
There's a pretty good summary on the wikipedia page but it basically comes down to maintaining competent system/network security, not storing auth data like CVV2 and never displaying full card numbers, restricting access to the card numbers to those who need it and traceably logging it when they do, writing up a "policy" document which consists of stuff like "employees shall not disclose their passwords" etc, and commiting to test (and log that you've tested) the whole setup every month or so. No big deal.
Most of it is kind of obvious. A decent operation is going to doing most or all of that stuff as a matter of course. It's just kind of a checklist really, formalising what you already know to be good practise. Nothing to be afraid of.
..additionally to losing your merchant account, you may also pay heavy fine to visa and mastercard from what I've read
I've been looking at those things lately since I'm working on an ecommerce platform and it will be my server dealing with the my customers (who sell on my platform)' gateway... It's rather complicated..
An easy way around not having to get an SSL certificate and the problems that storing CC data is to apply to someone like Paypal or Moneybookers for their merchant facilities. These are not normal Paypal or Moneybookers gateways but Merchant gateways, they will handle the transactions in a secure iFrame and handle all the security, fraud and data storage issues you would otherwise encounter. Additionally to note the rates will be significantly lower than other payment gateways (unless of course you are able to get hold of a typical bank merchant account)
An SSL cert starts at like $13 a year, if you can't afford that you shouldn't have a merchant account. There's no need to store credit card information on your server, if you really need it the gateways provide the functionality.
