Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

special cc# encryption module


Rodland

Recommended Posts

If I had the technical skills to do this I would do it myself, so if anyone fancies a challenge or a nice favour I would appreciate it big time:

 

The following are two modules to encrypt and decrypt cc# details for merchants who prefer to process the orders via their credit card terminal provided by their banks:

 

1) http://www.oscommerce.com/community/contributions,611

 

This uses a GPG public key to encrypt the middle 8 digits before sending it to a merchants email address. (you need to download 0.92 - not just 0.94). The merchant decrypts this data on their personal computer via their private key and processes the order manually.

 

2) http://www.oscommerce.com/community/contributions,1148

 

This is similar in that it encrypts and decrypts the cc# numbers, but it does this by encrypting the cc# numbers to the database and decrypting the cc# numbers to the clients browser, once the client has sucessfully logged in the the admin section. This contribution has more features than the one above (cvv, cc blacklist etc.). However, I perceive it to be less secure than the GPG version (I may be wrong here).

 

 

However, what I do think is that a combination of the two modules would be an awesomely module and very secure.

 

For instance, the second contribution is used as the base point. It stores the cc# details encrypted in the database and reveals the decrypted cc# numbers to the client who has logged in, BUT the middle 8 digits are XXXXXXXX out.

 

These middle 8 digits are sent to the GPG module and encrypted before being sent to the merchants email address.

 

In other words the best of both words. Not only are the middle 8 digits encrypted and sent by email to the users computer who has the private key but the rest of the numbers are also encrypted in the database and revealed only to the person who has successfully logged in.

 

What do other users think?

 

CMR

Link to comment
Share on other sites

To do this, change (in cc.php from the cvv contribution):

    function after_process() {

     global $insert_id;



     if ( (defined('MODULE_PAYMENT_CC_EMAIL')) && (tep_validate_email(MODULE_PAYMENT_CC_EMAIL)) ) {

       $message = 'Order #' . $insert_id . "nn" . 'Middle: ' . $this->cc_middle . "nn" . 

 'CVV:' . $this->cc_cvv . "nn" . 'Start:' . $this->cc_start . "nn" . 

 'ISSUE:' . $this->cc_issue . "nn";

       

       tep_mail('', MODULE_PAYMENT_CC_EMAIL, 'Extra Order Info: #' . $insert_id, $message, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

     }

   }

to

    function after_process() {

     global $HTTP_POST_VARS, $insert_id;



     if ( (defined('MODULE_PAYMENT_CC_EMAIL')) && (tep_validate_email(MODULE_PAYMENT_CC_EMAIL)) && (defined('MODULE_PAYMENT_CCGPG_ENCRYPT')) && (MODULE_PAYMENT_CCGPG_ENCRYPT == 'GPG') ) {

      	 $message = 'Order #' . $insert_id . "nn" . 'Middle: ' . $this->cc_middle . "nn" . 'CVV: ' . $this->cc_cvv . "nn" . 'Start: ' . $this->cc_start . "nn" . 'ISSUE: ' . $this->cc_issue . "nn";

	 $tmpToken = md5(uniqid(rand()));

	 $plainTxt = "/home/equine-m/temp/" . "$tmpToken" . "anca";

	 $crypted = "/home/equine-m/temp/" . "$tmpToken" . "anca.asc";

	 $gpghome="/home/equine-m/";  //where is your pubring? That dir has to have write access.

	 $gpgpath="gpg";   //where is the executable

	 $gpgrecipient="Glen Ross (emailkey) <[email protected]>"; //the key used for encryption

	 $fp = fopen($plainTxt, "w+");

	 fputs($fp, $message);

	 fclose($fp);

	 system("export HOME=" . $gpghome . ";" . $gpgpath . " --batch --always-trust --quiet --no-secmem-warning --compress-algo 1 -ear '" . $gpgrecipient . "' $plainTxt");

	 $fd = fopen($crypted, "r");

	 $message = fread($fd, filesize($crypted));

	 fclose($fd);

	 unlink($plainTxt);

	 unlink($crypted); 

       tep_mail('', MODULE_PAYMENT_CC_EMAIL, 'Extra Order Info: #' . $insert_id, $message, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

     }

   }

I think that's it, except for modifying the GPG info to match your system.

 

Good luck,

Matt

Link to comment
Share on other sites

wow! if this works!!!!!!!

 

.. not sure if the current ccgpg module works with ms1 though, so hope this does work!!

 

I'll give it a try and let you know.

 

Super million thanks!

Christian

Link to comment
Share on other sites

Tried it but got this error in the payments modules of the admin pages:

 

Parse error: parse error, unexpected T_STRING in /home/httpd/vhosts/mydomain.com/httpdocs/catalog/includes/modules/payment/cc.php on line 913

 

Funny thing though the file cc.php doesn't have 913 lines!

 

Any ideas ?

 

CMR

Link to comment
Share on other sites

  • 5 weeks later...

Probably a bit late now, but that error suggests that one of the (, ', or " is missing the other ), ', or ". That may be a problem in the posted code, or it may have been a typing error.

 

Hth,

Matt

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...