Credit Card Security Options??

[olimits7]

Hello,

 

I was wondering if anyone can list some good credit card security options that I should definitely use to secure my customers information from potential hackers?

 

These are a few that I know about as of now. Use an SSL connection for checkout process, use SSL for admin section, password protect the admin directory, and use the split credit card email option.

 

Are there any other options that I should be including?

 

------------------------------------------------------

 

I see that the Authorize.net module doesn't give you the option to split the credit card into an email. Only the Credit Card module allows this. Why is that? And how can I get the Authorize.net module to include this?

 

I'm glad that the Credit Card module has the split option, but when I go live with my website I don't want the Credit Card and Authorize modules both showing up on the checkout process. I just want the Authorize.net module to show with the split email option enabled.

 

Thank you,

 

olimits7

[olimits7]

Does anybody use any other security options? I know the the things I listed can't be all that is used.

[ozcsys]

The authorize.net module does not email the cc # that is why it is not an option. It automatically processes the card for you.

 

The cc module is so you can get the cc# and then process the number manually via a pos system

[Flyer5]

Does anybody use any other security options? I know the the things I listed can't be all that is used.

 

 

I think youll find that most (if not all) 3rd party psp's like protx, ePDQ, HSBC etc do not give you the full credit card number (and nor should they) - I can not vouch for authorizenet as I've never used it.

 

 

as an aside to this - if I was making a purchase and was asked to give my card details to you rather than to a psp I would not complete the sale. This is nothing derogatory against you, but I would have concerns about the security of your pc and my data, not from hackers but from physical theft and from internal access.

[insomniac2]

A contrib I modified has a feature that does not allow someone to view cc card numbers from the database because it is encrypted. It can only be viewed by you in admin as the key to decrypt is set by you in the files. This could be altered to be set in the admin configuration if need be. I have also put the code in invoices.

 

The main piece of code that does this is:

 

<?php

if (tep_not_null($order->info['cc_number']) && $order->info['cc_number'] != '0000000000000000') {

if (strtolower(CC_ENC) == 'true' ) {

$key = changeme; // you have to set changeme to your selected key ie. Kfs5Ry7nXrY24

$cipher_data = $order->info['cc_number'];

$order->info['cc_number'] = changedataout($cipher_data,$key);

}

}

?>

 

You will have to pick out the code pieces and put encrypt / decrypt files in place .. but it should be easy to figure out. Mainly involves checkout_process.php, orders.php and potentially invoice or printorder.php.

Also adding paths to filenames.php and database.php

 

I posted an update with small updates to the instructions.

 

The contrib is CC CVV plus Encryption plus Blacklisting v1.1.zip

 

Link: http://www.oscommerce.com/community/contri...arch,encryption

 

If you run into any problems let me know. I will try to check back.

[olimits7]

Thank you for all your replies. :)

 

So if I use only the Authorize.Net module it will pass the information straight to Authorize and it will not save any credit card information in mysql database, right? And this also is the reason why it doesn't have the option for the "split credit card email"?

 

The CreditCard module is the module that stores the credit card number in the database with the option for the "split credit card email", right?

 

If I wanted to save the credit card info and have the "split credit card email" option I would have to use both modules. But that would mean my customer would have to fill out there credit card information twice on each module. Is this correct?

 

----------------------------------------------------------

 

Is there a way that I can get the Authorize.Net module to store the credit card information and split the credit card email just like the CreditCard module does?

 

But I guess if the Authorize.Net module passes the credit card information straight to Authorize I should be able to view the credit card info from Authorize's website, right??

 

Thank you, again.

[stevel]

You don't want to save the cc number in the database if you can help it because of the risk of unintended disclosure. Encrypting can help, but ideally you'd want to use a "public key" method such as GPG and this is tricky to get working with osC. There are contributions for it but I've never gotten it to work.

 

If you use a symmetrical key, such as the advice above, do NOT put the key in the script itself. Put it in your configure.php and protect it against reading from others on the server (depends on your host's configuration.) I also recommend removing the CC info from the database as soon as you have processed the order or recorded it offline. There are too many stories of credit card numbers stolen from databases, and you don't want to be at the receiving end of customer complaints about that.

 

I don't use a payment gateway, but it seems to me that the info should be available from your gateway's admin panel, or perhaps you don't really need it at all? With a payment gateway, the CC info is never stored in your database and goes instead to the (presumably) secure gateway server.

[nfrobertson]

I also wanted to do a simple cc_number encrypt. I came up with a quick solution and posted it at:

 

http://www.oscommerce.com/forums/index.php?s=&...ndpost&p=827385

 

Definitely open to thoughts and improvements!