How to Take Credit Cards Manually

[Guest]

Hi there I run an online store and a physical store too which means at the moment I am using Worldpay & another merchant account for the proper shop.

 

Is there a way that I can just process the website cards on my streamline machine instore so I can get rid of my Worldpay account or do I really have to pay twice for the same service?

[Wendy James]

If you use the credit card module that comes with osCommerce you can manually enter your orders. It sends half the cc# to the admin area, the other half to whatever email you have set up.

[Guest]

Cheers,that helps allot.

 

Mark

[user1515]

This works well, but is there a way to update the Credit Card module so that it also sends the expiration date via e-mail?

[angelo24]

I also want to do this... is they anyway that the card details can be captured in osc and then when we go to the admin pannel we can see the details and input the card details into our in-store card machine?

thanks

Angelo

[user1515]

Well- I guess the real question is this, then:

 

I am setting up a website for a customer who is planning to use their in-store credit card machine for web orders. When orders go through, they will receive an e-mail with the order and some how receive the credit card information.

 

This customer will NOT have access to the ADMIN area of OSCommerce, as they are not comfortable/familiar with things like this, and I don't want them poking around and messing up their product listings or other things. They will be sending me updated products when they need them, but obviously I don't need to be involved in the receiving/processing orders part.

 

Does that make sense?

[Guest]

Why not get your streamline account setup for oscommerce as well?

 

I use streamline and protx for my oscommerce card proccessing.

[angelo24]

I want to be able to capture all the credit card info and hold it in some sort od ssl page so i can then retrive it at a later date and put it though the credit card machine in the shop. is there any way of doing this?

 

so a couple of boxes asking for the credit card number etc (ssl of course) and then i can manualy put them though the machine in the shop?

thanks

Angelo

[dusty108]

Being able to capture all needed card details using ssl makes sense. I see little point in having a Streamline Merchant account and having to shell out a further £240 a year to a middleman to serve essentially the same function. Help please!

[dynamoeffects]

Well the £240 a year you'd spend on a payment gateway is much less than the up to $500,000 per incident fine that Visa and Mastercard would fine you if they discover that you're processing cards in breach of your merchant agreement, especially if it's related to card theft stemming from emailing yourself credit card numbers.

 

Also by adding in the potential additional cost of being permanently barred from ever processing Visa or MasterCard again should also be added in.

 

Right about now £240 a year doesn't sound so bad. Visa/MC have removed any incentive of manually processing credit card numbers from online orders.

[dusty108]

Well the £240 a year you'd spend on a payment gateway is much less than the up to $500,000 per incident fine that Visa and Mastercard would fine you if they discover that you're processing cards in breach of your merchant agreement, especially if it's related to card theft stemming from emailing yourself credit card numbers.

 

Also by adding in the potential additional cost of being permanently barred from ever processing Visa or MasterCard again should also be added in.

 

Right about now £240 a year doesn't sound so bad. Visa/MC have removed any incentive of manually processing credit card numbers from online orders.

 

Have you checked the PCI DSS site? https://www.pcisecuritystandards.org/

I haven't yet come across anything about "Visa's" ability to levy $500,000 fines but it does offer excellent advise to merchants as to what's required to conform to current industry standards re credit card data protection

[dynamoeffects]

Read your merchant agreement. You signed a contract agreeing that you would follow the PCI's card handling security procedures or you will gladly accept large monetary fines. $500,000 is the maximum fine per-incident (per stolen card) fine that they will levy against the merchant. Maybe you'll get off light and only have to pay $5,000 a month until you are compliant.

 

And example of a $500,000 fine: http://www.security.ithub.com/article/VISA...h/218242_1.aspx

 

osCommerce with a heavy load of unmodified contributions installed is not a secure application to be storing or emailing credit card information. Don't think it would ever happen to you?

• If you're using the latest version of the Header Tags controller and you're storing credit card numbers in your database, anyone can output a list of your customers' data by adding a SQL query to a specific URL parameter.
  
• Use Fast Easy Checkout? In less than 2 minutes you could be compromised.
  

I know this because I do a security check on all contributions that I install in my clients' stores. Even if you don't store the credit card numbers, the store owner's email address can be altered so that all card numbers are funneled to an attacker's email box.

 

As soon as the stolen cards are traced back to your store, which is just a matter of finding the merchant where all cards were used, guess what happens. There are times when as a small business owner that you should cut corners to save money, but this is not one of them.

 

I make this point not to be the PCI's guard dog, but instead to convince merchants to stop being irresponsible with their clients' private financial data. You wouldn't accept stores where you shop being irresponsible with yours.

[dusty108]

I think we may well be singing from the same hymn sheet. We must do all in our power ie comply fully with PCI DSS requirements. For most of us "Level 4 Criteria Merchants with less than 20,000 transactions would apply:

ie: Annual Self Assessment Questionnaire. Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)There is usually no need to report compliance but must nevertheless achieve and maintain compliance.

I have not read my merchant agreement in a very long time. It dealt with a manuual swipe machine and required me to keep copies of all the cards I dealt with for a life time in case of any questions. Must dig it out if I can find it.

I really don't think too many of us with oscommerce sites will be in the same league as TJX's "29 million MasterCard victims and 65 million Visa victims " By the way, they still accept Visa & Mastercard.

[WoodsWalker]

This is a very informative thread!

 

I'm just setting up osCommerce, to add online functionality to a web site we have had since 1995 (I designed and update it). We make our entire income through the site. Customers now expect to be able to order online, instead of having necessarily to phone or fax us with their credit card info.

 

All the same, I was intending to harvest the order info from the server somehow (we don't get that many orders in a day) and simply key it into the telephone system we use to send our VISA/MC sales to the bank. This thread has made crystal clear to me that I must not consider doing this by email (I must admit I had my doubts and I hope that I would have come to the same conclusion myself).

 

Before I do the explorations, is there anyone with a quick answer to how one might locate such information on the server, and then delete it after writing it down? Thanks!

Edited April 13, 2008 by WoodsWalker

[WoodsWalker]

Update: I figured out how to access the stored CC#s in the database (so far just a "dummy" # that I made up for testing purposes). I see that osC's Credit Card module allows me to enact a storage procedure whereby 8 digits of the CC3 is stored in the server, while the other 8 digits are emailed to me along with the order info. This suits me fine, but I don't know if it would be strictly PCI-compliant. The deciding factor would seem to be whether the whole CC# is ever stored, even for an instant, on the server. If the answer is yes, then this would be considered a security breach, especially as the server is shared.

[WoodsWalker]

P.S.: Thank you to Wendy James, above, for pointing me towards this functionality of the Credit Card module. :thumbsup:

 

(You can never have too many Wendys! :lol: )

[WoodsWalker]

If you have part the cc in the Database, and part the cc in an email, it would be considered uncompliant (in my OPINION). Where are you accepting the CVV number?

 

Heh, we're not.

[dynamoeffects]

If the answer is yes, then this would be considered a security breach, especially as the server is shared.

 

To exploit your server, the first thing an attacker would attempt is a SQL injection attack (many of the most popular contributions are vulnerable to this type of attack). A SQL injection attack would allow them access to your database and give them the ability to read, modify, and delete whatever they would like. Using the same method, the store owner's email address could be updated to an attacker's throwaway email account.

 

How many days of no order notifications would it take before you'd look in your Configuration settings to see that the email address has been changed?

 

This is what happened to a lady who contacted me about a year ago asking why none of the order emails were getting sent to her email account. The problem was exactly what I described above.

[WoodsWalker]

Pretty scary stuff, Brian. It's chilling to know what is possible. Thanks for the info!

[purlow7]

To exploit your server, the first thing an attacker would attempt is a SQL injection attack (many of the most popular contributions are vulnerable to this type of attack). A SQL injection attack would allow them access to your database and give them the ability to read, modify, and delete whatever they would like. Using the same method, the store owner's email address could be updated to an attacker's throwaway email account.

 

How many days of no order notifications would it take before you'd look in your Configuration settings to see that the email address has been changed?

 

This is what happened to a lady who contacted me about a year ago asking why none of the order emails were getting sent to her email account. The problem was exactly what I described above.

 

Great advice Brian, and chilling possibilities. I am at a loss, though, and can't figure out a solution based on what I'm reading. On one thread I read that as long as you don't include the csv etc info, it's secure. But I'm not convinced. I've read through the compliance sites, but can't find any information on storing the numbers on a server with private ssl.

 

My client is deadset against paying a gateway. She's also heard from another business that "they get their orders emailed to them with the credit card numbers". I have been unable to convince her of the necessity of a secure gateway.

 

In your opinion, are there any safe (and compliant) methods of allowing her to process manually?

 

Thanks!

[dynamoeffects]

Authorize.net offers a new service that allows you to store customer payment information on their servers. You're able to recharge a customer's card by passing a key that is tied to a specific customer's payment information. All compliancy is handled by Authorize.net.

 

I don't have any advice to give you as to convincing her aside from creating a nice spreadsheet outlaying the costs of securing her server to store credit card data. It will cost at least $200 a month for the two dedicated servers required to store credit card data, and if she's not willing to spend an extra $20 a month for a payment gateway, she has no interest in keeping her customers' private data secure and nothing you can say will change her mind.

 

People who take unnecessary risks like that and show no respect for their customers' private data shouldn't be running a business.

[purlow7]

Authorize.net offers a new service that allows you to store customer payment information on their servers. You're able to recharge a customer's card by passing a key that is tied to a specific customer's payment information. All compliancy is handled by Authorize.net.

 

I don't have any advice to give you as to convincing her aside from creating a nice spreadsheet outlaying the costs of securing her server to store credit card data. It will cost at least $200 a month for the two dedicated servers required to store credit card data, and if she's not willing to spend an extra $20 a month for a payment gateway, she has no interest in keeping her customers' private data secure and nothing you can say will change her mind.

 

People who take unnecessary risks like that and show no respect for their customers' private data shouldn't be running a business.

 

I agree, and as much as I hate to run off a client, I'm not willing to participate in building her a solution that does not protect her customers.

 

Do you know anything about outside payment systems, like Mal's ecommerce? Specifically, can you integrate that type of solution into oscommerce? I believe it's a paypal type system where you generate buy now buttons for your products (and the cc#s are stored on their secure servers for retrieval), but I want her to be able to manage her products through an admin panel instead. It's my last idea... thought I'd see if you'd heard of it or anything similar.

 

Thanks for all you contribute!