davea0511 Posted July 19, 2004 Posted July 19, 2004 I'm a newbie - got my store working great, but I want to allow the customer to have their credit card information pop up when they return. I looked through all the user contributions and I could NOT find a hack that does this. Can someone steer me in the right direction? Thanks, Dave www.sleepwavelaboratories.com ps- I want to do this because I'm a manufacturer of products that I want to drop ship for other merchants. That means they need a quick way to order stuff for their customers without having to enter their CC info every time.
davea0511 Posted July 21, 2004 Author Posted July 21, 2004 Any help here? Seems like this could be done securely using cookies - anyone? Anyone? Buhler?
haphazardlynamed Posted July 21, 2004 Posted July 21, 2004 cookies probably arent a good place to store long term user info customers already have accounts right? why not just modify the customer database tables to also include credit card info? then modify the shopping cart, so that on the page where they normally enter provide a number, it does a check to see if you already know it or not and fill in a default number although, there might be legal or liability issues with this suppose someone ever hacks into your server, that would be a lot of credit card info lying around
haphazardlynamed Posted July 21, 2004 Posted July 21, 2004 *looks at the default tables* hmmh actually, it looks like Orders already have credit card info in them, so i guess its an ok precendent to be storing them how about when a customer makes a new order, you search for their most recent previous order, then just use that info?
AJRYAN Posted July 21, 2004 Posted July 21, 2004 I would suggest that you make absolutely certain that 1. Your security is top notch 2. You are on a dedicated server - shared hosting is not a good idea for this 3. Be sure the data is encrypted I think the credit card companies already have guidelines for you to follow/consider. Legally, for your protection (and your customers), you'll want to take every precaution possible I'm not a security expert or server administrator which is (why I wont do this myself and don't have any answers for you), just these recommendations if you want to cover your butt. This will cost you a bit more money but will be worth it if you want to avoid potential problems. Art
davea0511 Posted July 25, 2004 Author Posted July 25, 2004 > it looks like Orders already have credit card info in them Yeah, but they're all empty. It looks like OSC only uses the fields as temporary storage? I do have to wonder about the legalities of storing that info. My payment gateway won't even divulge the actual numbers to me. Also, the risk of storing it seems so scary - I think even though cookies get destroyed, it may be the best solution in the near term. Any suggestions how I might do that? You're speaking to a newbie here.
davea0511 Posted July 25, 2004 Author Posted July 25, 2004 Thought more about cookies... they're even a scarier possibility. At least if I store the info on our server I can make it as secure as possible. If I store it on their computer who knows how vulnerable it is? But if I encrypt it then someone has to break into my server and their computer... that might just do the trick. Or is it all just a bad idea?
stevel Posted July 25, 2004 Posted July 25, 2004 It depends on how you process CC info. If you are using the default cc module, then the CC info is indeed stored "permanently" in with the order. (I use a contrib that allows me to delete the info after the order is processed.) If you are using a payment gateway, then you would not have this info in the order. You can create new account fields and copy the data there (and retrieve it), but I would be rather nervous about doing so unless you're using good encryption. Obviously, the "big boys" (Amazon, etc,) do this all the time. But they have more sophisticated tools available and in fact don't tend to store the actual CC info in an Internet-accessible system. I can think of various ways to accomplish this, including a "use credit card on file" option where you keep track of the CC info offline, but I imagine you would want to automate things as much as possible. You can encrypt the info, but to be able to have it used automatiically means that your store has to decrypt it too, meaning that the key is in your script. Not the best thing in the world... I don't see a really good way to do this all within osCommerce. If you had separate "back end" transaction processing systems isolated from the net, you could do it.... Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description
haphazardlynamed Posted July 26, 2004 Posted July 26, 2004 how about 'security through obscurity' just invent some wacky way of storing the CC info, like maybe half the number in the customer table, half in another table named 'monkeys' and maybe an few random digits in cookies then even though you have absolutely no encryption, no one is going to bother trying to steal the info, cause its too much of a pain to figure out your wierd scheme Information without context is useless for example: 5
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.