Security?

[Kevin360]

I have my shop on a secure VPS and use an SSL certificate for my site. Is it safe for me to collect credit info using the credit card option in osCommerce that saves the CC info on the database?

[multimixer]

The module there is just for demonstration purposes.

 

I would say absolutely NO

[Kevin360]

See... I'd tend to agree with you... however my host says everything is secure and that they dont see an issue with storing the CC info on the database there... ???

[multimixer]

I don't like to ask this in general, but here I have to: Why do you want to do this?

 

And also, do you think that people will just type their cc info into your site, not knowing what will happen with it?

[Kevin360]

I don't like to ask this in general, but here I have to: Why do you want to do this?

 

And also, do you think that people will just type their cc info into your site, not knowing what will happen with it?

 

 

Well... I'm asking because I have paypal pro... but am having issues with the module and would like to set up this as a temp. option. I dont like the idea of doing this permanent.. even if it is safe.

 

Do I think people will just type their cc info in my site... well ... haha... I offer products, and in order to buy the product... this is how it's done. When my paypal pro was working, it took CC info on the site, just like every other where it seems as though the site is accepting the card info directly (I also offer checks to be mailed in and paypal standard (which takes you to the paypal page to pay)). The osCommerce default CC module acts the same... just accepts the card on my site, only difference is it stores the card number on a database on my server instead of paypal server handling it. I can then take the CC info and enter it as if it was a phone order to process the card.

 

Not to be a smart ass... well... a little bit...

 

Hopefully people know that when they search a website that offers products, and add a product of their liking to a card and expect to pay for that product, they'll probably end up putting their cc info in. I dont just have a blank page that says... PLEASE PUT CC INFO IN TEXT BOX BELOW AND HIT SUBMIT.

 

anyways...

I've disabled it for now and am only offering check, paypal, or by phone. I'll fix the paypal_direct module eventually...

[MrPhil]

Handling credit card information is a complex business. Not only do you need SSL to encrypt transmissions back and forth between server and browser, but you need extra security on the server end. That your host says "no problem" shows that they have no idea what they're talking about. Depending on where you are and where you operate, there are myriad laws and regulations governing the handling of sensitive personal/financial information, as well as security standards imposed by your bank (merchant account/payment gateway). Your security measures will be audited and tested by the bank. Presumably you have a merchant account that you want to use for this -- does it permit Web use? Many merchant accounts issued for brick-and-mortar stores do not permit online sales using them.

 

Unless your operation is so large that the extra costs of a merchant account and proper security (and auditing) is less than PayPal's fees, why bother handling customer credit card information yourself? Don't forget the legal and financial impact on you if your security is breached. If you want to continue, there's more discussion on the E-commerce Laws board on this site.

[spooks]

Regardless of the issues (I wholeheartedly agree with Mr Phil) Have u taken all security measures, does your site pass the tests?

 

http://www.oscommerce.com/forums/index.php?showtopic=313323

[multimixer]

Do I think people will just type their cc info in my site... well ... haha... I offer products, and in order to buy the product... this is how it's done.

 

Not to be a smart ass... well... a little bit...

 

Hopefully people know that when they search a website that offers products, and add a product of their liking to a card and expect to pay for that product, they'll probably end up putting their cc info in.

 

With "typing the cc info into your site" I didn't mend the screen ! It's all about where the data will be stored and in what way it will be transfered to there. I would never type my info just like this, only if I know that there is one of the well-known trusted companies handling my information

 

Don't forget that people are prepaying you for goods that they didn't receive yet, so you request already alot of trust from them to do this. Isn't it worth to offer them a bit of security?

 

Well, anyway, thank you for the tutorial about how the buying process is going on. It's an interesting thought to take the risk of storing cc info your self instead of repairing a module. "Eventually" you said, well, there is still a window open....

 

Would it be an option to cancel any ssl if having problems installing it? Eventually I mean.

[Kevin360]

This was just a question that somehow turned into something that I was doing. I never accepted CC info or stored it myself. I was only asking. I use paypal pro and direct payments... as well as have available to send a check for people that aren't comfy putting in info online., when the module gave me problems, I asked... got my answer and found that my question about security and been turned into a statement that I accept CC info.

 

and you are welcome for the tutorial. I'm sure it came in handy.