Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to Take Credit Cards Manually


Guest

Recommended Posts

Hi there I run an online store and a physical store too which means at the moment I am using Worldpay & another merchant account for the proper shop.

 

Is there a way that I can just process the website cards on my streamline machine instore so I can get rid of my Worldpay account or do I really have to pay twice for the same service?

Link to comment
Share on other sites

If you use the credit card module that comes with osCommerce you can manually enter your orders. It sends half the cc# to the admin area, the other half to whatever email you have set up.

Wendy James

 

Creativity is allowing yourself to make mistakes. Art is knowing which ones to keep.

Link to comment
Share on other sites

I also want to do this... is they anyway that the card details can be captured in osc and then when we go to the admin pannel we can see the details and input the card details into our in-store card machine?

thanks

Angelo

help!!!!!!!

Link to comment
Share on other sites

Well- I guess the real question is this, then:

 

I am setting up a website for a customer who is planning to use their in-store credit card machine for web orders. When orders go through, they will receive an e-mail with the order and some how receive the credit card information.

 

This customer will NOT have access to the ADMIN area of OSCommerce, as they are not comfortable/familiar with things like this, and I don't want them poking around and messing up their product listings or other things. They will be sending me updated products when they need them, but obviously I don't need to be involved in the receiving/processing orders part.

 

Does that make sense?

Link to comment
Share on other sites

I want to be able to capture all the credit card info and hold it in some sort od ssl page so i can then retrive it at a later date and put it though the credit card machine in the shop. is there any way of doing this?

 

so a couple of boxes asking for the credit card number etc (ssl of course) and then i can manualy put them though the machine in the shop?

thanks

Angelo

help!!!!!!!

Link to comment
Share on other sites

  • 2 years later...

Being able to capture all needed card details using ssl makes sense. I see little point in having a Streamline Merchant account and having to shell out a further £240 a year to a middleman to serve essentially the same function. Help please!

Link to comment
Share on other sites

Well the £240 a year you'd spend on a payment gateway is much less than the up to $500,000 per incident fine that Visa and Mastercard would fine you if they discover that you're processing cards in breach of your merchant agreement, especially if it's related to card theft stemming from emailing yourself credit card numbers.

 

Also by adding in the potential additional cost of being permanently barred from ever processing Visa or MasterCard again should also be added in.

 

Right about now £240 a year doesn't sound so bad. Visa/MC have removed any incentive of manually processing credit card numbers from online orders.

Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Link to comment
Share on other sites

Well the £240 a year you'd spend on a payment gateway is much less than the up to $500,000 per incident fine that Visa and Mastercard would fine you if they discover that you're processing cards in breach of your merchant agreement, especially if it's related to card theft stemming from emailing yourself credit card numbers.

 

Also by adding in the potential additional cost of being permanently barred from ever processing Visa or MasterCard again should also be added in.

 

Right about now £240 a year doesn't sound so bad. Visa/MC have removed any incentive of manually processing credit card numbers from online orders.

 

Have you checked the PCI DSS site? https://www.pcisecuritystandards.org/

I haven't yet come across anything about "Visa's" ability to levy $500,000 fines but it does offer excellent advise to merchants as to what's required to conform to current industry standards re credit card data protection

Link to comment
Share on other sites

Read your merchant agreement. You signed a contract agreeing that you would follow the PCI's card handling security procedures or you will gladly accept large monetary fines. $500,000 is the maximum fine per-incident (per stolen card) fine that they will levy against the merchant. Maybe you'll get off light and only have to pay $5,000 a month until you are compliant.

 

And example of a $500,000 fine: http://www.security.ithub.com/article/VISA...h/218242_1.aspx

 

osCommerce with a heavy load of unmodified contributions installed is not a secure application to be storing or emailing credit card information. Don't think it would ever happen to you?

  • If you're using the latest version of the Header Tags controller and you're storing credit card numbers in your database, anyone can output a list of your customers' data by adding a SQL query to a specific URL parameter.
  • Use Fast Easy Checkout? In less than 2 minutes you could be compromised.

I know this because I do a security check on all contributions that I install in my clients' stores. Even if you don't store the credit card numbers, the store owner's email address can be altered so that all card numbers are funneled to an attacker's email box.

 

As soon as the stolen cards are traced back to your store, which is just a matter of finding the merchant where all cards were used, guess what happens. There are times when as a small business owner that you should cut corners to save money, but this is not one of them.

 

I make this point not to be the PCI's guard dog, but instead to convince merchants to stop being irresponsible with their clients' private financial data. You wouldn't accept stores where you shop being irresponsible with yours.

Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Link to comment
Share on other sites

I think we may well be singing from the same hymn sheet. We must do all in our power ie comply fully with PCI DSS requirements. For most of us "Level 4 Criteria Merchants with less than 20,000 transactions would apply:

ie: Annual Self Assessment Questionnaire. Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)There is usually no need to report compliance but must nevertheless achieve and maintain compliance.

I have not read my merchant agreement in a very long time. It dealt with a manuual swipe machine and required me to keep copies of all the cards I dealt with for a life time in case of any questions. Must dig it out if I can find it.

I really don't think too many of us with oscommerce sites will be in the same league as TJX's "29 million MasterCard victims and 65 million Visa victims " By the way, they still accept Visa & Mastercard.

Link to comment
Share on other sites

This is a very informative thread!

 

I'm just setting up osCommerce, to add online functionality to a web site we have had since 1995 (I designed and update it). We make our entire income through the site. Customers now expect to be able to order online, instead of having necessarily to phone or fax us with their credit card info.

 

All the same, I was intending to harvest the order info from the server somehow (we don't get that many orders in a day) and simply key it into the telephone system we use to send our VISA/MC sales to the bank. This thread has made crystal clear to me that I must not consider doing this by email (I must admit I had my doubts and I hope that I would have come to the same conclusion myself).

 

Before I do the explorations, is there anyone with a quick answer to how one might locate such information on the server, and then delete it after writing it down? Thanks!

Edited by WoodsWalker
Link to comment
Share on other sites

Update: I figured out how to access the stored CC#s in the database (so far just a "dummy" # that I made up for testing purposes). I see that osC's Credit Card module allows me to enact a storage procedure whereby 8 digits of the CC3 is stored in the server, while the other 8 digits are emailed to me along with the order info. This suits me fine, but I don't know if it would be strictly PCI-compliant. The deciding factor would seem to be whether the whole CC# is ever stored, even for an instant, on the server. If the answer is yes, then this would be considered a security breach, especially as the server is shared.

Link to comment
Share on other sites

If the answer is yes, then this would be considered a security breach, especially as the server is shared.

 

To exploit your server, the first thing an attacker would attempt is a SQL injection attack (many of the most popular contributions are vulnerable to this type of attack). A SQL injection attack would allow them access to your database and give them the ability to read, modify, and delete whatever they would like. Using the same method, the store owner's email address could be updated to an attacker's throwaway email account.

 

How many days of no order notifications would it take before you'd look in your Configuration settings to see that the email address has been changed?

 

This is what happened to a lady who contacted me about a year ago asking why none of the order emails were getting sent to her email account. The problem was exactly what I described above.

Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Link to comment
Share on other sites

To exploit your server, the first thing an attacker would attempt is a SQL injection attack (many of the most popular contributions are vulnerable to this type of attack). A SQL injection attack would allow them access to your database and give them the ability to read, modify, and delete whatever they would like. Using the same method, the store owner's email address could be updated to an attacker's throwaway email account.

 

How many days of no order notifications would it take before you'd look in your Configuration settings to see that the email address has been changed?

 

This is what happened to a lady who contacted me about a year ago asking why none of the order emails were getting sent to her email account. The problem was exactly what I described above.

 

Great advice Brian, and chilling possibilities. I am at a loss, though, and can't figure out a solution based on what I'm reading. On one thread I read that as long as you don't include the csv etc info, it's secure. But I'm not convinced. I've read through the compliance sites, but can't find any information on storing the numbers on a server with private ssl.

 

My client is deadset against paying a gateway. She's also heard from another business that "they get their orders emailed to them with the credit card numbers". I have been unable to convince her of the necessity of a secure gateway.

 

In your opinion, are there any safe (and compliant) methods of allowing her to process manually?

 

Thanks!

Link to comment
Share on other sites

Authorize.net offers a new service that allows you to store customer payment information on their servers. You're able to recharge a customer's card by passing a key that is tied to a specific customer's payment information. All compliancy is handled by Authorize.net.

 

I don't have any advice to give you as to convincing her aside from creating a nice spreadsheet outlaying the costs of securing her server to store credit card data. It will cost at least $200 a month for the two dedicated servers required to store credit card data, and if she's not willing to spend an extra $20 a month for a payment gateway, she has no interest in keeping her customers' private data secure and nothing you can say will change her mind.

 

People who take unnecessary risks like that and show no respect for their customers' private data shouldn't be running a business.

Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Link to comment
Share on other sites

Authorize.net offers a new service that allows you to store customer payment information on their servers. You're able to recharge a customer's card by passing a key that is tied to a specific customer's payment information. All compliancy is handled by Authorize.net.

 

I don't have any advice to give you as to convincing her aside from creating a nice spreadsheet outlaying the costs of securing her server to store credit card data. It will cost at least $200 a month for the two dedicated servers required to store credit card data, and if she's not willing to spend an extra $20 a month for a payment gateway, she has no interest in keeping her customers' private data secure and nothing you can say will change her mind.

 

People who take unnecessary risks like that and show no respect for their customers' private data shouldn't be running a business.

 

I agree, and as much as I hate to run off a client, I'm not willing to participate in building her a solution that does not protect her customers.

 

Do you know anything about outside payment systems, like Mal's ecommerce? Specifically, can you integrate that type of solution into oscommerce? I believe it's a paypal type system where you generate buy now buttons for your products (and the cc#s are stored on their secure servers for retrieval), but I want her to be able to manage her products through an admin panel instead. It's my last idea... thought I'd see if you'd heard of it or anything similar.

 

Thanks for all you contribute!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...