Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Ok to send CC by email if split?


cgchris99

Recommended Posts

Put yourself in the place of the customer. Imagine you bought a product online from a store that assured you that your CC info was safe. Later that week you get a call from your CC company asking about the $20,000 you spent on your CC that week. It turns out that the online store you bought from sent your CC info via email which was intercepted and used to max out your credit card.

 

Would you think it was all right since they transmitted the info in two emails instead of just one?

 

Personally, I'd be hiring a lawyer and expecting a very big payoff from the lawsuit.

 

If you are still sure you want to continue (let me add your site to my verboten list), contact a lawyer in the state in which you are based and make sure that they specialize in this type of law. Be sure that you pay them for the consultation and get the answer from them in writting. At least then you may be able to put off some of the liability.

 

hth

Link to comment
Share on other sites

This is not for my store. My store has full SSL.

 

But I have a customer that wants to use their manual credit card processing. They have a brick and mortar store.

 

what is the best way to manually process credit cards if your not using the email function?

Link to comment
Share on other sites

When you enable the cc module on the right you can put an email adress and only the middle 8 digits will be in that email, the other 8 digit will be in your database in customers/orders

 

The_Bear

Link to comment
Share on other sites

  • 1 month later...

My tech support just wrote (or modified) a script for me to GPG-encrypt the credit card numbers in Email without creating temp files along the way. On the database, only the first 6 and last 2 digits are stored.

 

It works like a charm! ( And makes me feel MUCH more secure about collecting credit card data... )

 

I don't know if they've posted the solution, but will ask them.

 

HTH,

 

TerryK

Terry Kluytmans

 

Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like:

 

Add order total to checkout_shipment

Add order total to checkout_payment

Add radio buttons at checkout_shipping (for backorder options, etc.)

Duplicate Table Rate Shipping Module

Better Product Review Flow

 

* If at first you don't succeed, find out if there's a prize for the loser. *

Link to comment
Share on other sites

Chris,

 

Though I'm slowly figuring this osCommerce stuff out, I'm incredibly PHP-challenged... so I don't understand (or even know) all of the mechanisms that were required to get this in place!

 

I'll forward the request along to my tech gurus and ask if they can post an answer, okay?

 

TerryK

Terry Kluytmans

 

Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like:

 

Add order total to checkout_shipment

Add order total to checkout_payment

Add radio buttons at checkout_shipping (for backorder options, etc.)

Duplicate Table Rate Shipping Module

Better Product Review Flow

 

* If at first you don't succeed, find out if there's a prize for the loser. *

Link to comment
Share on other sites

There is a GnuPG contribution (which may be what Terry's host installed).

 

Two emails are barely more secure than one. The half in database; half in email is somewhat more secure than just in the database because the types of exploit are different. However, if both are emails, it is very unlikely that someone would exploit you in such a way as to only get one email but not the other.

 

Btw, you could also get the host to install a self-signed SSL certificate for the admin area. Self-signing does not work on the catalog side, because it allows for a man in the middle type attack. It's just peachy on the admin side, where you can verify that it's actually your certificate before accepting (I believe that Mozilla actually allows you to permanently accept a self-signed certificate). The last time that I did this, I just googled for self sign SSL for instructions. This would allow them to use The_Bear's solution safely.

 

Hth,

Matt

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...