Solution Needed For Manual Credit Card Capture

[Tim_A]

Hi all,

 

I've had a search through the forum but can't really find what i'm after (not really sure what to search for).

 

Someone i'm building a store for wants to take payments manually (i.e. a customer logs-in, places the order and fills in the credit-card details then the store owner runs the payment through themselves) sort of a manual encrypted credit card capture.

 

Is there a module for something like this? Are there security concerns?

 

Many thanks for any help

 

Tim

[chooch]

In order to capture credti or debit card numbers you need to have PCI compliance and you and your host/datacentre must complete the SAQ D.

 

It wil cost you an arm and a leg to be PCI SAQ-D compliant, you will have to pay a host/datacentre phenomenal amounts of money per month.

 

I have PayPal WPP, it has been authorised by Paypal and I can start using it but I have opted for PayPal IPN instead because in order to use WPP and take credit/debit card numbers online on my site I need to have the most expensive level of PCI and that is SAQ-D level 5.

 

Now to answer your question: If you wish to capture debit/credit card numbers and process them manually then you can achieve that with PayPal WPP but you must pay for a dedicated server to run your website and you must pay for a dedicated server to run your database as well as meet other strict instructions.

 

I advise you against doing it as your busines needs to be turning over your monthly hosting fees as well as charges per transaction as well as make you a profit at the end of the day.... forget the idea and re-think your plan.

[MrPhil]

Your client's merchant agreement probably forbids them from accepting CC numbers over the web and manually entering them into their store terminal. Big trouble if they're caught doing that, and not the least PCI-DSS compliant.

[♥mdtaylorlrim]

Not to mention the fact that since you are doing this for someone else if he get caught he will likely pawn off responsibility on to you.

[bl00b]

I have PayPal WPP, it has been authorised by Paypal and I can start using it but I have opted for PayPal IPN instead because in order to use WPP and take credit/debit card numbers online on my site I need to have the most expensive level of PCI and that is SAQ-D level 5.

Are you sure that is WPP and not the Payflow option?

I recently setup WPP and my PayPal account rep read over my SAQ statement before I signed it, I did not fill out the SAQ-D level.

 

The "transmittal" question really threw me off, because the buyer is entering that data on a form on my server, but the account rep insisted "PayPal transmits the data" and not me or my server.

[chooch]

Are you sure that is WPP and not the Payflow option?

I recently setup WPP and my PayPal account rep read over my SAQ statement before I signed it, I did not fill out the SAQ-D level.

 

The "transmittal" question really threw me off, because the buyer is entering that data on a form on my server, but the account rep insisted "PayPal transmits the data" and not me or my server.

 

That is what someone in PayPal said to me too but here is their PCI page: PAYPAL PCI COMPLIANCE PAGE

 

This is the part on the page which is the most important:

 

How does my business become PCI compliant?

You can either use PayPal Website Payments Standard, Email Payments, or Payflow Link.* Or if you are storing, transmitting, or processing payment card information, you must:

 

•Build and maintain a secure network to protect payment card information

•Maintain a vulnerability management program

•Implement strong access control measures

•Regularly monitor and test networks

•Pass quarterly remove vulnerability scans

•And more …

 

So there you have it. If you are using PayPal Website Payments Standard, Email Payments, or Payflow Link then it is easy as all payments are entered on the PayPal server and on the PayPal page.

 

And PayPal goes on to say: Or if you are storing, transmitting, or processing payment card information, you must do the rest of things they asked. The fact the card data is entered in your osc-store, on your server means you are transmitting the data. I have an email from PayPal stating my servers and so on DO NOT need to have PCI compliance because WPP is PCI compliant but when I complained to PayPal they sent another email stating that PCI compliance WAS necessary when using WPP.

 

I decided to go fo the safe option, you should think about what you are doing before proceeding with a live store because if there are security risks to your store, if you have not added patched to plug vulnerabilities then your database could be hacked and various customers and their last 4 digits (even though of no significance) could be stolen and that means you will get a whopping fine from the credit card companies. WPP can NEVER get PCI compliance on a shared host, the DB part must be on a dedicated server with no internet access and can only have a local link to the application (website) server - that is STRICT!

 

And finally, here is the PCI Standards Page with the table showing which merchant needs which type of PCI compliance: PCI SECURITY STANDARDS

 

By definition WPP can be used by completing SAQ-C but oscommerce does store the last 4 digits and associated customer details in the database so SAQ-D would be the right thing to have.

 

I was going to use WPP but cannot risk getting huge fines and so on just in case the compliance is not correct therefore I using PayPal IPN and outsourcing the transaction to PayPal's payment page. I will however use WPP and allow customers to pay using cards on my site as it speeds up the checkout process and is more user friendly but I can only do that when the business is turning over a lot of money so I can re-coupe the huge hosting costs because of the PCI compliance!.

[bl00b]

From what I gather (their page leaves a lot to the imagination), what they require (based on that page) is either included in the average PCI scanning by companies like McAfee & Comodo (I pay about $240/yr, seems to be different for everyone) or security measures they expect you to take (such as, not using weak SSL etc etc). I wonder why they don't state what level of SAQ you have to be, though.

 

 

 

The other day I came across a PCI standards page that indicated CVV cannot be -shown- but yet just about every WPP (oscommerce) addon shows them; additionally, storing the last four digits is allowed, as long as the rest of the number is XXX'ed out (ONLY the 4 digits stored, everything else replaced and/or not present); CVV and no other card-related data is stored.

 

I also came across a blog post (not official PCI to my knowledge) that stated the fines are waived if you can prove you were PCI-compliant at the time of intrusion.

 

 

There seems to be an exorbitant amount of misinformation out there about PCI. I'm following up with my PayPal rep to ensure I wasn't given some incorrect information; but I have seen others say the info they get from basic PayPal support leaves much to be desired and they get different answers from different people.

Considering how serious PCI can become, every support rep should be giving the same answers.

 

 

Payflow Link then it is easy as all payments are entered on the PayPal server and on the PayPal page.

In my PayPal account I have the option to sign up for Payflow and it states (just like WPP) that I must be PCI compliant in order to use it.

[bl00b]

For some reason I cannot edit my post anymore.. Here is a good article that describes PCI based on my understanding: http://utropicmedia.net/obtain-pci-compliance-for-ecommerce-websites

 

I am still very anxious to hear back from my PayPal rep, I am curious if I filled out the SAQ incorrectly.

Nevertheless, I am still undertaking regular PCI scans every month which would make my site fall under category 4, with most online vendors.

[chooch]

I used the free McAfee PCI scanning only once as part of the freebie for signing up with WPP. I failed on 14 points including not renaming the admin and downloads folder.

 

I have the scanning report, it is actually very good to pin-point where the failure is. Anyway I have rectified all of the issues (I think) but see no need to scan just yet until I am ready to pay for the dedicated server and dedicated database server.

 

You mention getting fines waived if you were PCI compliant at the time of the intrusion, that is true but you need to be PCI compliant in the first place and the key is for accepting credit card input on your site via PayPal WPP you cannot be PCI compliant unless (amongst other things) you have a dedicated database server that is not connected to the internet and is connected solely to your application (website) server.

 

Now there is a small part of confusion here because if PayPal really are the ones doing the 'transmitting' and they say that is the case in writing (I have two emails from PayPal support that contradict each other) then you still need PCI compliance simply because of the PCI options: PCI COMPLIANCE SECURITY STANDARDS

 

 

SAQ-A - is for outsourcing the payment to merchant paymnt pages so does not apply in WPP case.

 

SAQ-C - can be used if the oscommerce checkout is modified and the DB does not show or store the last 4 digits.

 

SAQ-D - is the only thing left and it is the most expensive but even in the circumstances you can use WPP and get PCI compliance on SAQ-C by not storing the card data you have to remember the SAQ-C clearly states in its documentation that:

 

The payment application/internet device is not connected to any other system within your environment

 

... and that means dedicated server not shared web hosting. This way it seems you can get away with using WPP on one server but if you store card numbers or data you must you a dedicated database server too. Firewalls and so on are add-ons that must used as PCI Standards clearly states.

 

I have an email from PayPal Support stating that my servers/hosting and I do not need to have PCI compliance because PayPal is PCI compliant but that is absolute codswallop and does not make sense. When I chased it up with another member of the PayPal Support team I received an email stating PCI compliance is a must regardless because of WPP.

 

When you have an update do post back here so we can see what PayPal say to you.

[chooch]

(Tried re-edit but could not)

 

By the way it clearly states and refers to what I believe is PayPal and those companies like it in the SAQ-C:

 

Your company's payment application vendor uses secure techniques to provide remote support to your payment system

 

So yes it can be done on SAQ-C if you modify the oscommerce store to stop it entering the last 4 digits of the card number and to stop it appearing in admin/orders.php etc

 

I just read the excellent information in the link provided, it explains everything really well.

[bl00b]

If level 5 were expected I think it's safe to assume none of us would be using it. Who would pay PayPal $30/mo only to have to shell out another $100k for server maintenance.

If it turns out to be (which I'm doubtful), I assure you I will get rid of it.

 

 

On my first scan I failed with only warnings (no holes). All of which were fixed in less than 72 hours, re-scanned and am now 'Compliant'.

 

This is a bit screwy word-wise, but from what I gather of this, last four is allowed: http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=8716&n=3&s=

Systems that store only truncated PANs (defined as a maximum of the first six and the last four digits) can be considered out of scope for PCI DSS.

Linked directly from pcisecuritystandards.org

[chooch]

If level 5 were expected I think it's safe to assume none of us would be using it. Who would pay PayPal $30/mo only to have to shell out another $100k for server maintenance.

If it turns out to be (which I'm doubtful), I assure you I will get rid of it.

 

 

On my first scan I failed with only warnings (no holes). All of which were fixed in less than 72 hours, re-scanned and am now 'Compliant'.

 

This is a bit screwy word-wise, but from what I gather of this, last four is allowed: http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=8716&n=3&s=

 

Linked directly from pcisecuritystandards.org

 

Well there you go then, it is clear SAQ-C would suffice of you :thumbsup:

 

As per the link you provided it is clear you cannot use WPP on a shared host. I take it you are using a dedicated server or Virtual Dedicated Server?

 

Due to additional complexities introduced by the SAQ-C requirements, including the fact that service providers must also be certified PCI compliant, traditional shared hosting options become impossible. Quarterly PCI website security scans are required for merchants that fill out a SAQ-C.

 

UtropicMedia.net:

[bl00b]

That is correct, I am on a dedicated server.

 

I have also edited my WPP API to hide the CVV from being displayed on checkout_confirmation.php - I looked high and low and I cannot find the page that stated displaying it is forbidden. If I spot it, I'll post it here.

[chooch]

That is correct, I am on a dedicated server.

 

I have also edited my WPP API to hide the CVV from being displayed on checkout_confirmation.php - I looked high and low and I cannot find the page that stated displaying it is forbidden. If I spot it, I'll post it here.

 

I cannot recall anything about CVV being hidden but I do recall reading somewhere it should not be captured in the database (for obvious reasons).

 

To go by the stricktest of rules your host company/data centre has to be PCI compliant too, I am trying to find one to save time looking when I am ready to get going with mine. Who are you with and are they cost effective?

[bl00b]

I don't store anything but the last 4 digits, credit card type (Visa, MC, etc) and AVS match response; that sort of stuff.

The CVV and full CC#, credit card name, etc. do not get stored.

 

I haven't come across any requirements for the data center, unless you're on the highest level of PCI (which I am not, I do not process millions of transactions per year).

 

I am with The Planet and my dedicated box is about $250/month.

 

I'm about to head out, have a nice weekend chooch.

[chooch]

Thanks for tips about the Planet, I think I will have to give them a miss because I need a UK based company with servers in the UK.... Anyway, you have a great weekend too :thumbsup:

[bl00b]

chooch, I heard back from PayPal and the requirement for Website Payments Pro is only SAQ-C and I need to provide them with the results of my PCI scan.

 

Additionally, if you have any other websites on your dedicated server (such as a test site, or a personal site) you need to scan those as well. I'm not sure who you use for scanning, but Comodo lets me add up to 6 different websites to scan and I get a report of each site individually.

[chooch]

chooch, I heard back from PayPal and the requirement for Website Payments Pro is only SAQ-C and I need to provide them with the results of my PCI scan.

 

Additionally, if you have any other websites on your dedicated server (such as a test site, or a personal site) you need to scan those as well. I'm not sure who you use for scanning, but Comodo lets me add up to 6 different websites to scan and I get a report of each site individually.

 

Thanks bl00b.

 

I only scanned with MacAfee using one of the 6 free scans you get when you sign up for Paypal WPP. Well, with SAQ-C things are certainly much more easier to arrange and cheaper in cost than SAQ-D.

 

I think it should increase customer trust and result in extra revenue when customers see credit card input field so I am aiming to get on a dedicated server with a dedicated hardware firewall within 3 months and then if things take-off and the business is viable I can add a second server to load balance and then add a third to run the DB while still load-balancing between the other two.

 

I wish PayPal would remove the confusion by making it perfectly clear what the criteria is as they are the merchant partner in this case and I wish they would train up their personel to stop giving different answers in different emails to asame queations!

[bl00b]

I agree! I was very worried when I saw your post, as I began to think I misunderstood the whole process of WWP & PCI Compliance. It was a relief to see I didn't, I only did the SAQ incorrectly, somehow I was given the SAQ-A by Comodo. I have since straightened this out with PayPal.

 

The increase in customer trust is primarily why I registered for WPP.

Additionally, I searched high and low for competitive rates from other suppliers, but none of them come close to PayPal's fee structure, WPP is actually very cheap. Maybe it's just because I'm outside of the USA, but the best rates I could find from merchant accounts in my country is (an average) of 3.5% - 4.9% + $0.30 a transaction. Not to mention those ungodly monthly fees.. most of which, are much more expensive than WPP at $30/$35 a month.

 

 

For PCI compliance, while I'm sure it's a good step, you don't need the most expensive firewall. I simply use open source firewalls & virus scanners (APF: http://www.rfxn.com/projects/advanced-policy-firewall/ & ClamAV: http://www.clamav.net/lang/en/ are both very good, I've been using them both since I purchased my dedicated server years ago) -- side note: If you use nodos on your server you need to be aware of search engines getting blocked. I frequently have to go through my logs and release the blocked spiders and whitelist the IPs.

 

I haven't yet run into the need for having a load-balancing server, I just do my best to cache busy queries and I empty my database quite often (back up old/obsolete orders + purge incomplete orders, inactive customer accounts), so it keeps from having a lot of redundancy and probably speeds up the queries quite a bit; not having all those extra rows sitting there collecting dust.

[chooch]

Good to see you your project under control. I accept it is a good idea to rummage through the DB and removed unwanted items that increase the size.

 

I know there are many firewalls but to be honest the way I see it is if there is a hardware firewall then the nasty stuff has to get past that first before evening trying to exploit your dedicated server. With software firewalls the downside is the nasty stuff is already on your dedicated server.

 

It is just an opinion