Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Credit Card Security


Guest

Recommended Posts

I am setting up a store, and we will process the credit card offline. So we will be using the credit card payment mod and the CVV mod too.

 

The site is going to be on a shared server, and it will have its own SSL certificate (not a hosts shared certificate).

 

I know this protects the admin and the checkout from server to client transactions. However how is the credit card protected in the database? Is it stored encrypted?

Could my host technically get access to all my credit card details? If it is encrypted could my host or anyone working for my host find out the encryption key from my files and decipher the CC details?

 

I want to make sure the information stored is as secure as possibly can be, what do i need to know about the default OS methods and what I should be doing on top?

Link to comment
Share on other sites

your host has more access to the information than you know, if you have a reputable one, they do not worry about what you do except to make sure it is legal. so, some of the things you need to do, is to protect your database with a tough username, and minimum 8 alphanumeric and extended character password. ssl is to protect the user while entering cc info into a system, along with their address info. Most people who process CC's do not store the customer CC, as that is something which security can be breached, however what they do is to process their transactions online via an ssl connection to a clearing house who is reputable, and the CC info never stored on your server. What is to prevent your employees from getting that info? Better off to just use a pass thru for the CC transaction, you never see the CC #, the clearing house computer only sees it and processes it to the CC company and everyone is happy, has everything protected.

Link to comment
Share on other sites

Problem with that is that we are going to have to process all the CC numbers manually, no option. So we have to store them for at least a short while.

 

I want to make sure they are stored safely. Can the hosts still access my DB if i use a good password?

 

Is password protecting the DB the only thing I can do?

Link to comment
Share on other sites

Some good points Mibble, but is it important to point out that in "/checkout_process.php" the following code shows that in fact osc is storing the CC in the tables. I am glad I use paypal as my payment solution, I never have to ask for credit card.

 

............
                         'cc_owner' => $order->info['cc_owner'], 
                         'cc_number' => $order->info['cc_number'], 
                         'cc_expires' => $order->info['cc_expires'], 
                         'date_purchased' => 'now()', 
                         'orders_status' => $order->info['order_status'], 
                         'currency' => $order->info['currency'], 
                         'currency_value' => $order->info['currency_value']);
 tep_db_perform(TABLE_ORDERS, $sql_data_array);

Link to comment
Share on other sites

When you enable the cc module in admin, you can use the

split card email address

The middle 8 digits are sent by email and only the outside 8 are stored in database

 

The_Bear

Link to comment
Share on other sites

My web host used the GPG module on the site with some modifications, and I'm receiving my credit card information encrypted. Works great!

 

(I've asked them to post the fix they made so that temp files weren't created during the encryption process, but I don't think they've had a chance to post it.) Maybe your host can help you figure out the mod?

 

HTH,

 

Terry

Terry Kluytmans

 

Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like:

 

Add order total to checkout_shipment

Add order total to checkout_payment

Add radio buttons at checkout_shipping (for backorder options, etc.)

Duplicate Table Rate Shipping Module

Better Product Review Flow

 

* If at first you don't succeed, find out if there's a prize for the loser. *

Link to comment
Share on other sites

According to my credit card company, You can not do manual transactions unless you have a switch machine for shop side and a switch machine for mail order, not legal to do on same switch machine !... Just a note incase you run a shop as well as on-line.

Link to comment
Share on other sites

I SET UP MY OWN SERVER so that i havecomplet control but that is a complex thing to do unless you have a lot of time on your hands to learn and that is what i have i dont know how much mor secure it is than any othe server sulution but i only have access to the db and i only have access to the server my cable bill is much more because i am running a deticaded server anyway if this is not a more secure method let me know

Link to comment
Share on other sites

According to my credit card company, You can not do manual transactions unless you have a switch machine for shop side and a switch machine for mail order, not legal to do on same switch machine !... Just a note incase you run a shop as well as on-line.

 

In the UK, providing you have an internet merchant account with your bank, they are fine with us using the same machine, providing we use the card holder not present setting!

 

I will probably look into the GPG mod and the split email mod, using both to send encrypted emails might be the best thing.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...