Electronic Commerce Indicator
Visa and MasterCard forbid Internet merchants from using software or equipment that does not support the Electronic Commerce Indicator. Electronic Commerce is when the cardholder’s information leaves possession of the cardholder and travels through an open connection, such as the Internet, to reach the merchant. In order to designate this type of transaction, the Electronic Commerce Indicator (ECI) must be included on the payment transaction message format to show that the transaction originated form an Internet source. This indicator is assigned in the point of sale product utilized by the merchant. Credit card information sent via email does constitute a transaction needing the ECI in the transaction to the processing bank.
Visa U.S.A. introduced a penalty structure effective June 1, 2000, for acquirers who fail to identify an electronic commerce transaction with the correct electronic commerce indicators. MasterCard International introduced a penalty structure effective August 1, 2000, for acquirers who fail to identify an electronic commerce transaction with the correct electronic commerce indicators.
If a merchant’s software sends an ECI (values of 5, 6, or 7) the transactions are noted as a secure ECI transaction and must be using a secure form of processing card data. These transactions are eligible for CPS rate programs. If the software sends up an ECI value of 8 or 9, the merchant is processing the card data in a non-secure format and the transaction cannot qualify better than EIRF (i.e. the highest rate you can pay for a transaction).
All terminal products that are certified to pass an ECI send a value of 8 because this is a non secure way of processing electronic commerce transactions. But there aren’t any credit card terminals currently supported to handle ECI. This means you must use special software or a gateway only. Visa and MasterCard employ 250 employees whose sole purpose is to find web merchants who violate this policy. Violating could result in fines, your account being terminated, and/or you being blacklisted for accepting credit cards.

September 2nd, 2024 at 11:57 am
I will love to tell my new merchants about this essential point when applying for a Merchant Account…
Love the article – give us more…
-Leonard J. Mills
- www.psbill.com
September 2nd, 2024 at 8:43 pm
Jim,
Any suggestions where can a merchant find ECI software to enable his website have ECI and be allowed my Visa/MasterCard…
-Leonard J. Mills
September 3rd, 2024 at 10:43 am
Leonard, all payment gateways like Authorize.net,ProcessUSA and Verisign are ECI compliant (as you would expect any payment gateway to be). As far as software goes there is not a whole lot to choose from as most are either not compliant or do not advertise that they are compliant. The only piece of software that I am reasonable sure is ECI compliant is IC Verify. I have heard that Some versions of PC Charge are compliant as well as PC Transact-It but I have been unable to confirm that as of yet.
September 4th, 2024 at 1:24 am
Thanks Jimy…
December 21st, 2024 at 2:27 pm
Leonard, There is a company that has a program for e commerce that is eci compliant and pci compliant check out transfirst.com or anyone who needs a billing management system that is completly compliant with Visa and MasterCard and all other card providers..
August 20th, 2010 at 5:07 pm
Don’t let your card processors extort you too!!
They’re telling everyone to change their platforms to be “PCI Compliant”, but the reality is many times, there is no requirement for them to be anything!! The following is from https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf:
PA-DSS Applicability to Hardware Terminals
Hardware terminals with resident payment applications (also called dumb POS terminals or standalone POS terminals) do not need to undergo a
PA-DSS review if all of the following are true:
 The terminal has no connections to any of the merchant’s systems or networks;
 The terminal connects only to the acquirer or processor;
 The payment application vendor provides secure remote 1) updates, 2) troubleshooting, 3) access and 4) maintenance; and
 The following are never stored after authorization: the full contents of any track from the magnetic stripe (that is on the back of a card, in a
chip, or elsewhere), card-validation code or value (three- or four-digit number printed on front or back of payment card), PIN or encrypted
PIN block. (end of excerpt)
In other words, the processing companies aren’t even aware that what they’re selling is bogus. And if they are, it’s just another way to increase billions of $$$ in extra profits.
We need to fight this nonsense NOW!!