Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Credit card details emailed to vendor (UK)


senyahnoj

Recommended Posts

Yesterday I made a purchase online via an osCommerce site.

 

There was a problem with my credit card details so I received an email from the vendor saying to ring and confirm the details were correct. I phoned and cleared this up and then emailed them back just expressing mild concern that my expiry date had been included in the email and that they may consider not doing that in the future.

 

They then replied telling me that I should be reassured that my expiry date in isolation of the card number and CV2 was useless (which is kind of fair enough, although the fewer individual authentication tokens on plain text email the better).

 

More concerning was that they revealed that osCommerce simply emailed all the card details to them anyway and tthat it was "secure because this information is sent in separate emails". So my details are passing through mail relays and ultimately sitting in an inbox at the shop?

 

I'm not totally up on the laws/best practices on this but this strikes me as a little disturbing. I'm presuming that even though osCommerce allows you to do this, it's not good practice and they should use some sort of payment gateway. Maybe their web developer has pulled the wool over their eyes on this one as they didn't seem to see it as a problem.

 

I'd like to email them with a polite, constructive email with some sort of link somewhere saying "osCommerce can do this but you really shouldn't" - can anyone point me at such a link? or advise further?

Link to comment
Share on other sites

Yesterday I made a purchase online via an osCommerce site.

 

There was a problem with my credit card details so I received an email from the vendor saying to ring and confirm the details were correct. I phoned and cleared this up and then emailed them back just expressing mild concern that my expiry date had been included in the email and that they may consider not doing that in the future.

 

They then replied telling me that I should be reassured that my expiry date in isolation of the card number and CV2 was useless (which is kind of fair enough, although the fewer individual authentication tokens on plain text email the better).

 

More concerning was that they revealed that osCommerce simply emailed all the card details to them anyway and tthat it was "secure because this information is sent in separate emails". So my details are passing through mail relays and ultimately sitting in an inbox at the shop?

 

I'm not totally up on the laws/best practices on this but this strikes me as a little disturbing. I'm presuming that even though osCommerce allows you to do this, it's not good practice and they should use some sort of payment gateway. Maybe their web developer has pulled the wool over their eyes on this one as they didn't seem to see it as a problem.

 

I'd like to email them with a polite, constructive email with some sort of link somewhere saying "osCommerce can do this but you really shouldn't" - can anyone point me at such a link? or advise further?

I would be concerned too. It seems that they wanted something cleared up, but your details should not have been in the email that they sent you.

I don't know why some venders are obsessed with keeping card details. As you said, a payment gateway is the way to go.

Link to comment
Share on other sites

Yesterday I made a purchase online via an osCommerce site.

 

There was a problem with my credit card details so I received an email from the vendor saying to ring and confirm the details were correct. I phoned and cleared this up and then emailed them back just expressing mild concern that my expiry date had been included in the email and that they may consider not doing that in the future.

 

They then replied telling me that I should be reassured that my expiry date in isolation of the card number and CV2 was useless (which is kind of fair enough, although the fewer individual authentication tokens on plain text email the better).

 

More concerning was that they revealed that osCommerce simply emailed all the card details to them anyway and tthat it was "secure because this information is sent in separate emails". So my details are passing through mail relays and ultimately sitting in an inbox at the shop?

 

I'm not totally up on the laws/best practices on this but this strikes me as a little disturbing. I'm presuming that even though osCommerce allows you to do this, it's not good practice and they should use some sort of payment gateway. Maybe their web developer has pulled the wool over their eyes on this one as they didn't seem to see it as a problem.

 

I'd like to email them with a polite, constructive email with some sort of link somewhere saying "osCommerce can do this but you really shouldn't" - can anyone point me at such a link? or advise further?

 

 

Credit card processing security standards info

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...