Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

CC security


wgs

Recommended Posts

Hello all,

 

Firstly thanks in advance to anyone who can help me answer my question.

 

I am new to osCommerce and have just finished my first online shop. The set up has gone well and after having pruchased an SSL certificate from my host I am switching well between the http and https area of the site.

 

I am using the standard cc capture and I understand that when the customer enters the cc details the information between the browser and site is encrypted and secure. That is fine.

 

After placing a dummy order and then accessing the database through the admin area I can see the cc number. I have passwrod protected the admin area via .htaccess. Will this be secure enough or would it be wise to somehow encrypt the cc details in the database?

 

Thanks.

Warren.

Link to comment
Share on other sites

Warren,

 

If you must use the standard cc module, I would advise defining the "Split Credit Card E-Mail Address" field in that module. With it, you define an e-mail address. Then, when an order is placed, 8 of the CC digits are e-mailed to that address. The other 8 and the expiration date are stored in the database. If your database is hacked, they don't get enough data to do anything (unless they were sniffing your e-mail packets too.)

 

If there's an encryption contrib or something you can write, do that too. Security should always be approached as a layered approach. No one solution is ever sufficient.

 

ed

Link to comment
Share on other sites

Make sure that your 'admin' area is not only password protected, but is forced behind ssl. Change all http://yourdomain.com references in admin/includes/configure.php to https:// yourdomain.com

 

Depending upon how modern your server is you may also be able to add this to the .htaccess file in your 'admin' folder.

 

SSLRequireSSL

ErrorDocument 403 https://www.yourdomain.com/admin/

 

Any hacker trying to access your 'admin' folder via http will automatically get redirected to https.

 

Vger

Link to comment
Share on other sites

Thanks for the tips guys.

 

Have implemented the "Split Credit Card E-Mail Address" option and will force the admin area behind SSL a bit later on.

 

I feel much better now about the security of customers cc details.

 

Cheers.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...