Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

URGENT - I don't want to keep cc numbers.


blair

Recommended Posts

Posted

Hi,

 

I am currently processing credit card numbers through a automated credit card gateway.

 

I have no need to keep credit card numbers after the payment has been processed (during checkout). Can someone suggest any contributions (I have search myself) or a little mod to REMOVE or NOT STORE the cc numbers in the database as I have real security concerns about this.

 

I would really appreciate your suggestions!...

 

Looking forward to hearing from you.

 

Blair.

Posted

Oh boy, I didn't realize they were stored in the DB (I'm still getting the look and feel down). I certainly don't want them lingering either..

Posted

What OSC version are you using?

 

I guess the OSC team just can't win on this -> first they were catching flack for not being able to store CC numbers....now people are complaining about being able to store CC numbers....

 

Again, let us know what version you are using, etc. I've used MS1 2.2, and Ian's Loaded 5 several times, and have never run into OSC storing CC info...

I need to read the rules more often...

Posted
I'm using a Nov 2002 Version...
That *should* not store any credit card info in the data base. However there are serveral options that you may choose between with OSC.

 

I believe the most secure in your case would be to store part of the CC number in the DB, and have the other part sent to you via email. That way if someone were to hack your db...they woudlnt' get the CC numbers.

I need to read the rules more often...

Posted

After having a look around, specifically at checkout_process.php, does anyone see any problem in modifying the one of the lines in the statement:

$sql_data_array = array('customers_id' => $customer_id,

.

.

tep_db_perform(TABLE_ORDERS, $sql_data_array);

from

'cc_number' => $order->info['cc_number'],

to

'cc_number' => substr($order->info['cc_number'], 0, 4) . str_repeat('X', (strlen($order->info['cc_number']) - 8)) . substr($order->info['cc_number'], -4);

I'm pretty sure this is done AFTER the card is processed anyway, so I shouldn't care what this field in TABLE_ORDERS is used for later?..

 

Thanks,

 

Blair.

Posted

The only time that a cc number should be stored is when you are using the Credit Card payment module.

 

If you are using the Authorize.net module or any other type of online processor, the number is not stored.

 

The code in the lines that you mention are indeed the place to make the necessary change. Simply remove the lines that defines the cc_number, cc_expire_date, and cc_name and you should be golden.

"Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." - A. Einstein

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...