Please help - CC processing and security

[markNfla]

I just set up OS and everythng seems to work fine EXCEPT

1. the Credit Card informatin is not emailed to me when the order is sent to me. Do I need to configure something to get the CC information to be emailed along with the order email?

 

2. When I go to the check-out area I get a message that some non-secured elements are part of the secured page. not secure - I think I read somewhere that a picture might not be secure and therefore cause a message like this. How do I make things secure? I have two SSL on westhost where I have my site. This one is not installed OpenSSL 0.9.6 however this one is installed Shared SSL 1.0. Is this adequate

 

Thanks for any and all advise.

 

m

[germ]

If you post (or PM me) a link to the site I may be able to help with the "non-secure" message.

 

As for the cc info, you're better off without it. There are regulations in place to be "compliant" in that area.

[germ]

Read more about cc's & PCI compliance.

 

Click me

[markNfla]

If you post (or PM me) a link to the site I may be able to help with the "non-secure" message.

 

As for the cc info, you're better off without it. There are regulations in place to be "compliant" in that area.

 

 

THANKS for the reply.

 

http://websitea.com/catalog/index.php?cPath=1

 

this is my uploaded and out of the box shopcart that has the security message.

 

I sent an email but I am not sure i did it right do I am posting url here.

 

I do need to have the CC information sent with the email so even though I am aware of the requirements and cautions I need to make it work. Can you give me guidance on that too?

 

thanks

m

[♥toyicebear]

ridiumCorp Feb 12 2008, 01:34 PM

 

There seems to be some confusion about PCI compliance and card details storage so I shall clarify. Being a payment gateway you can take this as the definitive answer.

 

A card merchant is any merchant who uses any device, be it instore, online, or over the phone. Every merchant who receives, transmits, or stores or all of the before mentioned MUST be PCI compliant. PCI compliance is a set of rules that governs how a merchant handles card details and if any merchant who takes card, regardless of the medium, has a security breach ( ie you have been having details emailed to you from you website and your computer gets stolen and the thief sells on the card details ) you are liable to be fined as a merchant - bank - whatever for each card record stolen.

 

So you can trade without being PCI compliant but if you get caught out you could face fines, being card scheme black listed, being personally black listed or all.

 

Clevelandweb,

 

Transactions originating over the web MUST be flagged as internet transactions. There is no other way to do it than through a gateway. If you take your card details from a website and process them manually through your terminal these are the following violations you are carrying out.

 

1. In proper transaction flagging.

2. Numerous PCI violations.

3. In proper MCC coding.

4. 3D Secure avoidance

5. Processing a card holder present transaction without giving a receipt at the point of transaction.

 

There are more but you get the point. Anyone of these is serious enough to have your merchant account yanked by the bank if they find out.

 

Now if you have a terminal you already have a merchant account. Getting that extended to take internet payments is as easy as a phone call. If your acquiring bank tries to charge you setup fees tell them no. I can set you up an IMA for nothing if they persist.

 

Once you have an IMA register it with a gateway. Tie your website into the gateway. Get yourself PCI compliant. Its easy and can be done in a couple of hours if you use a service like :

 

Scan Alert

 

Its 149 USD per year and is an invaluable exercise to go through. It makes sure you are trading safe. It makes sure if something goes wrong that you are protected from card scheme retribution.

 

Hope that clears this up once and for all.

 

IRC

[satish]

In admin there is an extra email details that is used for sending ordetrs if blank YOu will not rec any orders.

 

Satish

[germ]

Let's try this to get rid of the non-secure message.

 

It's a simple change, and if it doesn't work I have another surefire method we can fall back on if need be.

 

Make a backup copy of the file /catalog/includes/application_top.php (keep it safe somewhere).

 

Edit the existing /catalog/includes/application_top.php

 

Find this code:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Replace that line with this code:

 

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
// modification added 02/21/08
$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

[markNfla]

Thanks for helping out. I prefer to be on the other end of these events but I'm to green to be useful yet.

 

I tried what you suggested. I got the same result. I left the code in just on the off chance that you had another idea to use in concert with this modification.

 

Sorry to be a bother about this but I would welcome other advise.

Am I correct in thinking that this security message is not normal for this program?

 

thanks

m

------------------------------------------------------------------------------------------------

 

Let's try this to get rid of the non-secure message.

 

It's a simple change, and if it doesn't work I have another surefire method we can fall back on if need be.

 

Make a backup copy of the file /catalog/includes/application_top.php (keep it safe somewhere).

 

Edit the existing /catalog/includes/application_top.php

 

Find this code:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Replace that line with this code:

 

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
// modification added 02/21/08
$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

[germ]

Im going to send you a PM with something to do that will help me fix the problem.

 

When you've completed what I ask, PM me back or post again in this thread to let me know.

 

Am I correct in thinking that this security message is not normal for this program?

The problem is still in that line of code I had you change.

 

The crux of the matter is that there is no sure-fire, 100% reliable method that works on EVERY server to tell if SSL is active.

[germ]

Change the code to this:

 

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
// modification added 02/21/08
$request_type = ( $_SERVER ['HTTP_X_FORWARDED_SERVER'] == 'ssl4.westserver.net' ) ? 'SSL' : 'NONSSL';

Try that & let me know.