Does osC capture credit card information?

[AloeRoot]

Hi there folks. I just had a customer email me the following regarding a transaction in my store. She thinks her card information was harvested and then used to make a second purchase elsewhere.

 

I did use my debit card (it is a Visa-branded card). Your store charge on 4/21/09 was correctly applied to my credit union checking account on 4/23/09.

 

This was the first (and only) time I have used this debit card in many

months, if not years. My credit union was quite specific that it was this

same debit card ending in ___ and expiring ___ that the unauthorized

billing was charged against, dated 4/24/09 and applied 4/27/09, receipt

_________ to ________for $99.92

along with a currency conversion fee of $1.00. Also unusual, there is no

phone number listing on the unauthorized charge. My credit union is

investigating.

 

Now, this customer paid for her items via the PsiGate XML service. She would have entered her credit card details in the secure checkout area of my shop, which is secured by SSL, and they would have been securely transmitted to PsiGate for processing, right? So for her card details to have been captured, somehow they would have had to be intercepted either at the point she was entering them into the checkout page, or somewhere afterward as PsiGate was processing the transaction, correct?

 

osC doesn't actually store the credit card number in its database anywhere, does it? Neither does the PsiGate XML addon - I checked by browsing the tables using PHPMyadmin. Is this the case? That would rule out the possibility of a hacker potentially accessing the osC database to gain financial information, which means this is either a coincidence, there's something wrong with my cert, or something happened at PsiGate's end, which all seems unlikely to me.

 

Any suggestions?

[meniscus]

Depending on how your site was set up, the CC info may be on your server. Sites that like to process off site will have the data saved. Of course, the CC info must be deleted asap once it is processed. You might check in admin/customers/orders. That's one area that it may be saved.

 

Is your site PCI compliant? Visa Mastercard require it or you face a very stiff penalty. Your processor can recommend a scanning service. You can pay for daily, monthly or quarterly scans.

 

Hope this helps.

Mark

[clrob11]

If PSIgate is like Protx now sagepay then I do not belive your site will hold any unencrypted card information. This is normally done through PSIgate themeselves and you will not see this information.

 

As for PCI compliance this is down to the gateway people like Protx as I use them and hold no customer card details.

 

Ever thought that this person might be trying to pull a fast one? Why would it be a card that they have not used for "Months perhaps years" gets it's details taken the only time they use it?

 

Just all sounds a bit fishy to me.

[WoodsWalker]

Hi Stephanie,

 

It is right for you to be concerned, but I agree with clrob11 - this sounds a bit fishy. I've been monitoring the forum for over a year and have never seen a post like yours.

 

I also think it is highly unlikely that CC #s are stored anywhere in your osC database. That's the whole point of off-site processing - you don't store the CC #s yourself, and so you don't officially need PCI certification (although it's never a bad idea, since you do store name and address info).

 

Don't be surprised if the next thing you hear is that she wants money from you as compensation. Let us know what happens!

 

Best wishes,

~Wendy

[♥geoffreywalton]

Look in the table orders, there are 2at least 2 cc related fields in there, I believe the default cc module stores info in these fields.

 

Are they blank for this customer?

 

Probably be a good exercise for all shop owners to check this after they have made a test cc purchase.

[WoodsWalker]

Good idea, Geoffrey - this isn't something to guess about. I'm going to check right now...

[RhinoFish]

consumer's can have roguie keylogger's installed on their machines, so just because they were at your site doesn't mean you (or your gateway) are the only possible leaks... frankly, I see so many mucked up computers that it's a wonder they can hold us liable for anything.

 

"A separate IDC study found in 2006 that 29 percent of Web sites and 61 percent of peer-to-peer sites are infected with software containing Trojans, spyware and keyloggers." She could have picked up a bug anywhere and as she used it, her own machine compromised it. The thieves are advanced criminal syndicates these days, I'm quite sure that they have huge databases to bounce their stolen cards off of when acquired. It's possible that something like that makes her long unused card prime for the jacking.