Guest Posted December 22, 2003 Share Posted December 22, 2003 I am setting up a store, and we will process the credit card offline. So we will be using the credit card payment mod and the CVV mod too. The site is going to be on a shared server, and it will have its own SSL certificate (not a hosts shared certificate). I know this protects the admin and the checkout from server to client transactions. However how is the credit card protected in the database? Is it stored encrypted? Could my host technically get access to all my credit card details? If it is encrypted could my host or anyone working for my host find out the encryption key from my files and decipher the CC details? I want to make sure the information stored is as secure as possibly can be, what do i need to know about the default OS methods and what I should be doing on top? Link to comment Share on other sites More sharing options...
Guest Posted December 23, 2003 Share Posted December 23, 2003 This is quite an important issue that I think should be discussed. Does no one have anything to say on the matter? Link to comment Share on other sites More sharing options...
Guest Posted December 23, 2003 Share Posted December 23, 2003 your host has more access to the information than you know, if you have a reputable one, they do not worry about what you do except to make sure it is legal. so, some of the things you need to do, is to protect your database with a tough username, and minimum 8 alphanumeric and extended character password. ssl is to protect the user while entering cc info into a system, along with their address info. Most people who process CC's do not store the customer CC, as that is something which security can be breached, however what they do is to process their transactions online via an ssl connection to a clearing house who is reputable, and the CC info never stored on your server. What is to prevent your employees from getting that info? Better off to just use a pass thru for the CC transaction, you never see the CC #, the clearing house computer only sees it and processes it to the CC company and everyone is happy, has everything protected. Link to comment Share on other sites More sharing options...
Guest Posted December 23, 2003 Share Posted December 23, 2003 Problem with that is that we are going to have to process all the CC numbers manually, no option. So we have to store them for at least a short while. I want to make sure they are stored safely. Can the hosts still access my DB if i use a good password? Is password protecting the DB the only thing I can do? Link to comment Share on other sites More sharing options...
gottaloveit Posted December 23, 2003 Share Posted December 23, 2003 Some good points Mibble, but is it important to point out that in "/checkout_process.php" the following code shows that in fact osc is storing the CC in the tables. I am glad I use paypal as my payment solution, I never have to ask for credit card. ............ 'cc_owner' => $order->info['cc_owner'], 'cc_number' => $order->info['cc_number'], 'cc_expires' => $order->info['cc_expires'], 'date_purchased' => 'now()', 'orders_status' => $order->info['order_status'], 'currency' => $order->info['currency'], 'currency_value' => $order->info['currency_value']); tep_db_perform(TABLE_ORDERS, $sql_data_array); GottaLoveIT PHP5 Fixes Cancelled Orders Faster Page Loads, Less DB Queries Enhanced Vendors Category Images / Folders Tree Link to comment Share on other sites More sharing options...
Guest Posted December 24, 2003 Share Posted December 24, 2003 When you enable the cc module in admin, you can use the split card email address The middle 8 digits are sent by email and only the outside 8 are stored in database The_Bear Link to comment Share on other sites More sharing options...
TerryK Posted December 24, 2003 Share Posted December 24, 2003 My web host used the GPG module on the site with some modifications, and I'm receiving my credit card information encrypted. Works great! (I've asked them to post the fix they made so that temp files weren't created during the encryption process, but I don't think they've had a chance to post it.) Maybe your host can help you figure out the mod? HTH, Terry Terry Kluytmans Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like: Add order total to checkout_shipment Add order total to checkout_payment Add radio buttons at checkout_shipping (for backorder options, etc.) Duplicate Table Rate Shipping Module Better Product Review Flow * If at first you don't succeed, find out if there's a prize for the loser. * Link to comment Share on other sites More sharing options...
Monstertruckman Posted December 24, 2003 Share Posted December 24, 2003 According to my credit card company, You can not do manual transactions unless you have a switch machine for shop side and a switch machine for mail order, not legal to do on same switch machine !... Just a note incase you run a shop as well as on-line. Link to comment Share on other sites More sharing options...
sam6 Posted December 24, 2003 Share Posted December 24, 2003 I SET UP MY OWN SERVER so that i havecomplet control but that is a complex thing to do unless you have a lot of time on your hands to learn and that is what i have i dont know how much mor secure it is than any othe server sulution but i only have access to the db and i only have access to the server my cable bill is much more because i am running a deticaded server anyway if this is not a more secure method let me know Link to comment Share on other sites More sharing options...
Guest Posted December 25, 2003 Share Posted December 25, 2003 According to my credit card company, You can not do manual transactions unless you have a switch machine for shop side and a switch machine for mail order, not legal to do on same switch machine !... Just a note incase you run a shop as well as on-line. In the UK, providing you have an internet merchant account with your bank, they are fine with us using the same machine, providing we use the card holder not present setting! I will probably look into the GPG mod and the split email mod, using both to send encrypted emails might be the best thing. Link to comment Share on other sites More sharing options...
tbell45219 Posted December 31, 2003 Share Posted December 31, 2003 How can I make sure my CC numbers arent saved in the database (or not the entire thing) but yet not have to make them enter there CC everytime they purchase? What are the Best Practices for doing this? Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.