Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

security question


jsisson01

Recommended Posts

Now, I don't know if this is because I used the test account card, but after I was finished doing a quick check of my site, and I went into the admin section and checked the customer info, and lo and behold the test card number was there in full view. Now even though there's security on the admin section, I don't believe this to be secure enough, no matter what system you're using.

 

Does this change if I set up my merchant's account and if not, what are the ways I can change this?

Link to comment
Share on other sites

It sounds like you are using the stock CC Module. Which does store the Credit Card numbers in the database - for later processing by "hand". Some store owners like this, because they may be able to spot "fraud" and avoid a charge-back. All in all, I guess it depends on your products to determine if you want to "do it by hand" or "automate" the process.

 

Storing a credit card for a very short period of time is acceptable. But does have a security risk. That is why, if you choose to run the cards by hand. You must implement some way of removing the CC info. So after you are done running the credit card, you delete the info - and decrease the risk.

 

Some (if not most) Merchant Accounts will hold you liable for up to XXX dollars (usually in the hundreds of thousands) if security is breached in your site, and a stored credit card number was stolen and used. That is why you want to get those numbers out of there ASAP!

 

If you Automate the process, and have a Merchant Account that can do that (say PayPal Pro for instance). You'r SSL would encrypt the data, paypal would do the rest from there. Thus keeping the info off of your server.

 

Bottom line, you can never really be secure enough. If a human built it, a human will brake into it! From this point, it's just a matter of how paranoid you'd like to be.

 

Hope that helps!

Link to comment
Share on other sites

Yes it does, thank you. One more question, there's plenty of merchant account and payment gateways out there, Paypal, and such, does anybody recommend anything, and could you give me a few reasons why? Thanks.

Link to comment
Share on other sites

well I suggest to use a contribution available on osc that encrypts and decrypts the cc number so though it is there in DB its of use only if it can be decrypted which needs some password.

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

well I suggest to use a contribution available on osc that encrypts and decrypts the cc number so though it is there in DB its of use only if it can be decrypted which needs some password.

 

Satish

 

This is still a violation of the TOS and could lead to some liability on your part if you do it. The safest way to do it is to not do it at all. Use a payment gateway and let them handle all the security requirements of the big banks.

 

I'm fond of Authorize.net but any of the big gateways should work fine for osC.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

This is still a violation of the TOS and could lead to some liability on your part if you do it. The safest way to do it is to not do it at all. Use a payment gateway and let them handle all the security requirements of the big banks.

 

I'm fond of Authorize.net but any of the big gateways should work fine for osC.

 

Iggy

 

Am I correct to assume that if I use a Payment Gateway with my osCommerce site, then the Credit Card numbers are NOT stored in my DB?

Link to comment
Share on other sites

Am I correct to assume that if I use a Payment Gateway with my osCommerce site, then the Credit Card numbers are NOT stored in my DB?

yes typically they are not stored with external gateways. And you should check the payment module code to verify this just to be on the safe side.

Link to comment
Share on other sites

That said, where are the credit card numbers stored, and how would I go about removing them, sould I decide to continue processing payments manually?

you shouldn't need to remove anything as the numbers are stored with the gateway not with osc in this case. So depends what features a gateway has, and what information provides to the merchants.

Link to comment
Share on other sites

Am I correct to assume that if I use a Payment Gateway with my osCommerce site, then the Credit Card numbers are NOT stored in my DB?

For Authorize.net users - the Authorize.net AIM module currently (and unfortunately) stores full numbers in the database. Vger has said she'll remove this in a future release - but for now - my patch for XXXXing out the middle digits will work universally for any payment module that stores numbers:

 

http://www.oscommerce.com/community/contributions,4091

Link to comment
Share on other sites

you shouldn't need to remove anything as the numbers are stored with the gateway not with osc in this case. So depends what features a gateway has, and what information provides to the merchants.

 

Yes, that would be the case, were I using a payment gateway. Unfortunately, my current set-up precludes such an arrangement, so I must continue to manually process all my transactions (for now). Since I don't want the numbers just hanging around being a liability, I need to get rid of them.

 

So, I guess a better way of phrasing my question would be: "In a normal OSCommerce setup (without a payment gateway) where are the credit card numbers stored, and how would I go about removing them?"

 

Thanks.

Link to comment
Share on other sites

Here is a great contribution. Adds a check box on the admin order page. When you change an order from pending to processed, just check this box and the CC numbers are deleted.

Clear CC numbers

 

Great, that's all I need?

 

After I remove the number from an order listing, or delete the listing entirely, the numbers are completly gone?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...