Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Credit Card Details & Processing


Netcomm UK

Recommended Posts

On my version of OSCommerce which I recently downloaded, 2.2 MS1, if you look in the orders section of the admin, it shows you the customers' credit card details.

 

Firstly, is this securely kept in the database or is there something I should do to hide these?

 

Secondly, can I use this as a way of bypassing the online cc processing companies as the people who the shop is for already have a manual cc machine on their premises and would prefer to use that if possible?

 

Thanks

Link to comment
Share on other sites

In terms of configuration, there is an option to split the credit card number, storing half in the database and half in the order email. There are also contributions that encrypt one or the other halves. However, the default is to store the whole number in the database as plain text.

 

Hth,

Matt

Link to comment
Share on other sites

It's not illegal, but it may be in violation of your processing agreement. Some agreements require you to have the card on hand when you do the transaction and keep a signed receipt. I've never heard of them actually checking this (if there isn't a problem), but if you have that kind of agreement and a customer asks for a chargeback, the processor is likely to grant the chargeback.

 

Hth,

Matt

Link to comment
Share on other sites

What it is, i'm doing this store for a football club who already had an online shop but which was naff. They used to get the details emailed(!!) to them (which I informed was not secure). They then processed on the card machine located in their shop at the club. It's in England.

 

They would preferable like to process cards themselves and as they already do this for telephone orders, then they must have authority from the processing provider/their bank.

 

I had told them that they could have it automatically done, but i guess it's something they need to ask the bank. It'd certainly save them money from having two seperate processing systems and they'd get the money quicker which is obviously important.

Link to comment
Share on other sites

First of all collect CC# over SSL connection

 

There is a mod that split the card number in to two - 1/2 is emailed to the shop owner - not a problem as only 1/2 is sent (some one packet niffing and looking at the emails would still have to plug in the other missing 6-8 numbers - which had 1 millon to 100 millon possable combinations). You could also use PGP to encript (uses a 4096 bit encription - better than SSL) your server email to the store owner - so even that would be unreadable.

 

The other 1/2 is stored on the server - get that over SSL - even if somehow some one broke into the server - they only have 1/2 of all CC numbers with the same amount of possable combinations as stated above.

 

 

Manually combine the 2 halfs and process off line as you do normally like with your phone transactions.

 

If you want it anymore secure than that - the simplest way is to accept CASH ONLY. However that only works in face to face transactions

Link to comment
Share on other sites

I use TrustCommerce, which perhaps has special features. I dunno.

 

I had forgotten about having to install the "special module" to not have the CC# stored.

Is there an easy way to just not have it stored at all? RATS, now I hav eto go modify some carts and re-test them.

 

Seems to me the best situation would be for the processor module to store the returned transaction ID in the database instead of the CC#. In my state its illegal to store the entire CC#, whether encrypted or not.

 

 

My customers all use a virtual terminal for post-processing anyway. They never see a CC# unless they take a phone order. The processor company (TC) has complete responsibility for storage and handling - no need for the cart to do it.

Link to comment
Share on other sites

  • 5 weeks later...

I'm also in England. I'm building a couple of sites for small shops too. They both have their own credit card facilities, and are able to do "customer not present" transactions.

 

Presumably there shouldn't be a problem if I use the gpg credit card module (once I get the *&^*& thing to work!) which sends a separate encrypted email containing the credit card details. The shop can then keep the order email for their records, and delete the cc number.

 

Do I need to make sure the cc number is deleted from the db?

 

what about cv numbers? (the security no on the back of the card) I've heard there are legal problems with the collection of them too...can we just not use it?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...