credit card security code

[smokey2008]

How do I setup my site to allow my customers to enter their 3-digit security code that's on the back of their credit cards?

My clients are processing their orders manually with a credit card machine in the office, so they are just punching in the numbers that are on the order that osC collects. That maching is setup to require the entering of the 3-digit code. It has to be done.

 

I'd also like to get rid of the "Cash on Delivery" option that's at the bottom of that box when users select the method of payment; I couldn't find the file to edit this out. They'd like to perhaps even put a link in its place (to a new page) for those who wish to pay with a check. That page would give instructions about paying by check.

 

Anybody have a clue as to how to handle these 2 issues?

 

thanks,

 

Smokey

[♥toyicebear]

1. you/your client is not alowed to store the CCV code. Doing so can lead to heavy fines and loss of their merchant account.

 

2. you can enable/disable payments metodes in the store admin under modules >> payment

[WoodsWalker]

Hi Rick,

 

Nick is right. It is against all merchant agreements for a merchant ever to record the CCV number, either electronically, on paper, etc. It is intended as a real-time verification method.

 

The heart of your client's problem is actually that they are using the "work around" of collecting CC data via their website and osC, and entering it into their POS machine. This will also be in breach of the merchant agreement they have with their bank. Banks require businesses to have a specific merchant agreement that includes e-commerce, in order to accept any transactions that originate electronically.

 

So, in short, problems with accepting CCV numbers are the least of their worries. They need to approach their bank about engaging in e-commerce transactions properly. And they probably shouldn't mention what they've been doing with their POS machine!

 

~Wendy

[smokey2008]

Well if that's the case, and the CCV number can't be stored, isn't there a way to have the customer enter it to verify the credit card. I know I've seen this on other web sites. Is there something that can be done in ocC to validate the card with this number even if it's not going to be stored?

That's the whole purpose of the CCV right- to verify?

 

Smokey

[WoodsWalker]

Yepp, you've got it right. My online store accepts CCV, as do most these days - and taking the CCV number really is essential to help prevent fraud.

 

In the case of my store, the shopping cart system is hooked up to my payment gateway (Moneris Canada, a part of Bank of Montreal and Royal Bank) via software that was provided by Moneris (and also available here on the forum, in Contributions). The software contains a module that allows me to turn "off" or "on" CCV verification by pressing a toggle in my admin panel. When I activate CCV, a field appears for it in my payment page. I can also activate AVS (address verification) this way, which provides another level of security for me as a merchant.

 

Without a proper e-commerce merchant account that provides the functionalities that I've described above, I can't imagine how your client could validate CCV online.

 

~Wendy

[smokey2008]

Thanks, Wendy.

 

Interestingly enough, I've spoken with someone who has used Zen Cart and he says the field is there in the default setup for the customer to enter the CCV. In Zen Cart after the CCV is used there is even a button to delete the number. Too bad I'm not working with Zen Cart.

 

In your last post you said you didn't see a way my client could validate CCV online. They don't need to; they have that machine on their office desk they use when taking orders over the phone. They would manually enter all the info they collect online to process the order. That's when the verification would happen.

 

But I'll take your advice and ask my client about their agreement with their bank.

 

Thanks.

 

S

[Jeff G]

It may be illegal but...

 

Here is the info you seek in the link provided.

 

It will give you the codes to update your site so CCV codes show up in the order & It also gives you the option to delete the CCV & Credit Card Numbers after your done processing the order & keeps the rest of their info intact...

 

CCV Install

 

Hope it helped..

 

Jeff G.

[Guest]

Thanks, Wendy.

 

Interestingly enough, I've spoken with someone who has used Zen Cart and he says the field is there in the default setup for the customer to enter the CCV. In Zen Cart after the CCV is used there is even a button to delete the number. Too bad I'm not working with Zen Cart.

 

In your last post you said you didn't see a way my client could validate CCV online. They don't need to; they have that machine on their office desk they use when taking orders over the phone. They would manually enter all the info they collect online to process the order. That's when the verification would happen.

 

But I'll take your advice and ask my client about their agreement with their bank.

 

Thanks.

 

S

If they are taking orders over the phone, the information is not stored in the database.

 

There is an addon called phone payment (or similar) that can be installed. It does not collect the sensitive information.

[WoodsWalker]

Hi Rick,

 

Yepp, it shouldn't be a big deal, technically, to add a field for CCV. Even if the contributions mentioned didn't solve the issue (and they probably do :) ), someone with a reasonable knowledge of PHP/HTML could do it.

 

I'm also glad that you'll ask your client to look into their merchant agreement. Many don't know that the way they are operating is against the rules. I myself intended to do it the way your client is, until I found more information on the issues involved (right here on the forum). Once I became more informed, I felt that I would be compromising the security of my customers' information by cutting corners. But when it comes to breaking rules - HA! - I love breaking rules! As long as no one gets hurt.

 

Best of luck,

~Wendy

[ofab40]

It may be illegal but...

 

Here is the info you seek in the link provided.

 

It will give you the codes to update your site so CCV codes show up in the order & It also gives you the option to delete the CCV & Credit Card Numbers after your done processing the order & keeps the rest of their info intact...

 

CCV Install

 

Hope it helped..

 

Jeff G.

Hi Jeff! I've been on this site trying to find how to get my OsCommerce shopping cart to ask for the CCV code. I read thru the answers and you sounded so confident in your reply, I thought I'd tak a chance

and ask you this question. Do you by chance do this for a living? I am so lost at this point. The people that I contracted to create my website with the shopping cart have vanished. I am trying over and over to find someone to help me, but they pretty much all tell me that the people that created it made it too hard for them. Bottom line, I thought I would just ask for the cc on the website and then input it into the QB's version of accepting credit cards. My cart currently does not ask for the CCV and I need it to. Do you.....or anyone you know, offer assistance with things like this? I know VERY little about this stuff. Thank you in advance for your reply. Gale

[Guest]

You'all have me worried now, I am just going to a Trust Wave verification via my processor 'Elavon'.

 

I was under the assumption that none of my clients credit card info is stored on my data base.

 

Trust Wave sort of requests that I start asking for the CVV2 code.

 

Now you keep harping on the illegality of this action.

 

Is it all right if my processor collects it? Is it than not stored in the data base?

 

Thanks

Wolfgang

[WoodsWalker]

Not to worry, Wolfgang - it is perfectly appropriate for your processor to collect the CVV data. They will just use it for verification, and assumably dump it automatically.

 

As long as it does not reside (or persist) in your database, you are breaking no rules.

 

The way my arrangement with Moneris works, I never even see the CVV code and it never sits in my database, even though my payment page collects it. The arrangement with Elavon is probably similar.

 

Hope this helps,

~Wendy

[Guest]

Not to worry, Wolfgang - it is perfectly appropriate for your processor to collect the CVV data. They will just use it for verification, and assumably dump it automatically.

 

As long as it does not reside (or persist) in your database, you are breaking no rules.

 

The way my arrangement with Moneris works, I never even see the CVV code and it never sits in my database, even though my payment page collects it. The arrangement with Elavon is probably similar.

 

Hope this helps,

~Wendy

 

Wendy,

 

Thanks so much, I just managed to install the field and the 'Present' 'Not Present' pull down menu. I am using the ViaKlix module. And all is working well.

Still trying to get a little flash contribution to work, that shows the customer where the code is, found some old 2003/2006 contribution. But no luck so far.

Sure I stumble onto something eventually.

 

Thanks again

Wolfgang

[WoodsWalker]

I wouldn't worry too much about the flash demo - I think most customers know where to find the CVV number these days (but that's just my experience). :)

 

~Wendy

[Guest]

I wouldn't worry too much about the flash demo - I think most customers know where to find the CVV number these days (but that's just my experience). :)

 

~Wendy

 

You are probably right, Thanks