Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

credit security measures


compwhizmm90

Recommended Posts

Hi, I have a customer who wants to accept credit cards on his website. Rather than using a automatic payment system, he will charge them using a credit card system he already has. This will mean that the cc numbers will have to be stored in the database. What security measures should I take to keep people from stealing them. I am already installing an ssl certificate. Does anyone know of anything else I should do. I want to take all the precautions necessary. Thanks for any advice!

Link to comment
Share on other sites

Credit card companies have VERY STRICT rules and regulations regarding the storage of credit card numbers. If you have to ask, you aren't equipped to even come close to meeting their requirements. It takes more than an SSL certificate and encryption. I believe they require things like hardware firewalls that meet certain specifications, encryption that meets their standards, a minimum amount of insurance, etc. It basically takes a lot of money to meet their requirements. Additionally, a lot of merchant accounts list in the fine print that you cannot store credit card numbers online.

 

A lot of large online retailers don't even store credit card numbers on their systems. Those who do store credit card numbers usually use a third party that specializes in financial data storage. There are even laws in the US regarding data storage of financial information such as credit card numbers.

 

Basically, storing credit card numbers in an online database is not even an option for the vast majority of ecommerce web sites. Your customer will have to use a third party that handles recurring payments. There are several online credit card processors that can handle this for your customer (Authorize.net does, for example, but they have no API for it... which is lame... but there are others who do have APIs for recurring payments). Just do a Google search for credit card processors that do recurring payments.

Link to comment
Share on other sites

Credit card companies have VERY STRICT rules and regulations regarding the storage of credit card numbers. If you have to ask, you aren't equipped to even come close to meeting their requirements. It takes more than an SSL certificate and encryption. I believe they require things like hardware firewalls that meet certain specifications, encryption that meets their standards, a minimum amount of insurance, etc. It basically takes a lot of money to meet their requirements. Additionally, a lot of merchant accounts list in the fine print that you cannot store credit card numbers online.

 

A lot of large online retailers don't even store credit card numbers on their systems. Those who do store credit card numbers usually use a third party that specializes in financial data storage. There are even laws in the US regarding data storage of financial information such as credit card numbers.

 

Basically, storing credit card numbers in an online database is not even an option for the vast majority of ecommerce web sites. Your customer will have to use a third party that handles recurring payments. There are several online credit card processors that can handle this for your customer (Authorize.net does, for example, but they have no API for it... which is lame... but there are others who do have APIs for recurring payments). Just do a Google search for credit card processors that do recurring payments.

 

that sounds a little scary... My second option is using paypal website payments pro. what are the risks for using that? I would think it would be a lot less risky than the first option. thanks for your reply!

Link to comment
Share on other sites

that sounds a little scary... My second option is using paypal website payments pro. what are the risks for using that? I would think it would be a lot less risky than the first option. thanks for your reply!

The split credit card option built into osC is a quite secure option. Study your admin section to test and see how it works.

 

Once a transaction is completed you can also delete the fragments of the cc number from the database. There are contributions for this.

 

SteveODNet is correct about the rules concerning storage of complete cc details on any server accessible via the web. It's definitely a no no.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

  • 4 months later...

thanks people - I just dont like using the paypal system because it kinda forces people to sign up for a paypal account which most customers i think wont want or need. Can any one advise me on a system that is better than paypal that will only take a small percentage of the cash from sales?

Link to comment
Share on other sites

he will charge them using a credit card system he already has.

 

Find out who he is already using and see if they can transfer his existing system to the web site or bundle the web stie and existing offline terminal, try and keep the costs down that way. That way he can use 1 company still and not have to worry (as much) about storing the CC info.

Link to comment
Share on other sites

  • 4 months later...

Can anyone send a link to this law that states you cant store whole credit card numbers online?

 

Also someone found my question on another post and sent me a link for zen cart. Zen emails the cc numbers that are in the XXXX spot so the user would put the 2 together. Is there such a contribution for oscommerce?

 

Thank you

 

KM

Link to comment
Share on other sites

You don't need the law. Read your TOS for your card processing.

 

merchant's Terms of Service (TOS) will be very clear that you're not allowed to store customer credit card numbers in a retrieval system. That will be Oscommerce.

 

Over and Out.

Link to comment
Share on other sites

Thank you for the utterly useless post.

 

Might it occur to you that I would be setting this up for someone else and they might like to have that information without going through 20 pages of fine print?

 

That was almost as helpful as the people that reply "google it"

 

KM

Link to comment
Share on other sites

  • 6 months later...

Thanks for the response and recommendations. I will search through the Contributions for the CVV.

 

I am aware that storing this information is not a good practice and for that reason I am using the split card number, which if understand correctly does not store the entire card number. As well, I cannot even imagine running an eCommerce solution outside of a firewalled certificate enforced secure webserver.

 

I suppose that a better approach would be to learn how to add a field to the database and the forms...

 

Thank you again...

Link to comment
Share on other sites

  • 10 months later...
If you have to ask, you aren't equipped to even come close to meeting their requirements.

 

This... is not true. The standards to which cardholder data must be kept are regulated by the PCI Security Standards Council. The current standards are released in this document: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

 

With a some linux know-how and less than $1,000 (2 computers running Linux (one to create the DMZ, one for the databases), iptables as the firewall), you will be able to meet all of the standards listed in that document.

 

However, even easier, Authorize.net now offers their CIM service, which allows you to store cardholder data on their servers and charge the cards via an API.

 

-Andrew

Link to comment
Share on other sites

just so you know, with paypal websites payment pro, your customers DO NOT need an paypal account and they NEVER leave your website.

 

My website has the paypal website pro on it and customers do not know that they are using paypal to pay. The website pro is basically an online merchant account just like the ones you buy and set up yourself. The initial cost is cheaper, however in the long run it does end up costing you more money because of the % rates and the monthly $30. However it is GREAT for a business that is just starting up. I have a really close friend of the family that sells merchant accounts to interenet and brick and mortar stores, and even working with him, it was easier and initially cheaper for me to go through paypl

 

check out my website if you want.. it is live so if you make a purchase, you will pay for it and then i will have to refund you (which is fine, i need practice doing refunds) but anyways, if you go to my site and get to the payment screen, you will see that you can put your credit card into in without leaving my site AND without using a paypal account.

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

Paypal pro is the way forward for any new serious ecommerce site, you will be suprised how many commerce sites that use this system. The good thing is no one knows they are going through paypal, like said above it can prove expensive if the site sells alot. If the store gets into that sort of position then it would be worth investing in using professionals to set up credit card systems up.

 

There is no reason at all why credit card details should every be stored on a server, storing on a server and then using them on a cc machine is not a good idea at all.

Link to comment
Share on other sites

Hi Mitchell and others!

 

When I started designing my osCommerce site, I had the same idea as Mitchell's client: I already had VISA and MasterCard merchant services, and I just wanted to use the online store as an added ordering convenience for my customers. I intended to process the transactions manually, somehow, and came to the forum for advice.

 

In the end, I chose to process payments through the payment gateway provided by my merchant services company (Moneris), for the reasons mentioned above by other contributors. Yes, if you have a good developer you can become pCI compliant without a payment gateway, but that seems arduous when there are secure, attractive, inexpensive options available. I have not checked out Paypal Pro, but it might be just what you need.

 

Here is some good topical reading from previous threads (lots of posts by me! ha ha :rolleyes: )

 

I want credit card info sent to my email

 

New regulations for manually processing credit card info...

 

Hope this helps,

~Wendy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...