Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Credit Card Payment Options


bitznbytes

Recommended Posts

Don't do it.

 

I assume it will be insecure. And if the Bank, or whoever catch on to this, they'll shut you down, and give you a hefty charge for breech of privacy. Just go along with your banks online option.

Link to comment
Share on other sites

You initial question seems to imply that you want a drop down box saying "matercard, visa" etc and a box to type in the card number.

 

samclarke's has taken this to mean that you are trying to collect credit card details to process manually, for which his response was completely correct - the SSL cert only protects the transmission of details between client and your server - it in no way secures those card details once in your database or email.

 

It is best to use a payment gateway to process directly.

 

Tom

Link to comment
Share on other sites

Many start with PayPal (or now google checkout) as these offer complete package (that is gateway +merchant account) without monthly fees. If you are processing many orders that it often works out cheaper to go with a merchant account with a bank and a payment gateway.

 

The fees vary widely, special offers come and go - it's best if you take some time to search around and compare - there are many integration modules for all the popular services in the contribution section.

 

Tom

Link to comment
Share on other sites

Currently I do have a merchant account and I"ve got the Paypal module setup on my site and linked to my business checking account. Is it possible to process the credit card from my site and run the number through manually instead of using a payment gateway?

 

Thanks,

B

Link to comment
Share on other sites

technically, yes

 

BUT - if you want to collect card details to process manually you must have your systems audited and meet the PCI / CISP securiyt standards which basically require things like separate servers for database and webiste, card details encrypted, full audit logs of all acces to servers, database server physically sevured with limited access etc - very expsive.

 

If your manual terminal merchant account provider discover you are using terminal to process internet orders you will face having your contract immediately terminated. If you are subject to any fraud then visa / mastercard can fine you thousdands of dollars for each card affected etc etc

 

In summary, either spend lots fo money or don't risk it & use a gateway + IMA (internet merchant account)

 

Tom

Link to comment
Share on other sites

i am confused here...

 

 

we have had an osCommerce site for about three years.

 

we have accepted credit card info through it through the payment module in the tmeplate ever since.

 

we get an invoice online with the shipping address and the credit card info, which we print out and run through out manual credit card machine... just like a card whose stripe is not reading.

 

we have a secure SSL certrificate...

 

 

are you saying that we are STILL open to liability??

Link to comment
Share on other sites

Quick question for you: when people purchase using credit card, do you give them the ability to input their Credit Card ID Number? If so, how did you configure OScommerce to do that?

 

B

 

yes. they create an account, and when they purchase something, they chose a payment method (paypal, Visa, MC, Discover) and then ener the credit card number and expiration date.

 

we then get an email that there is an order "Pending" and we log onto out site's catalog page, and under "orders" we have a printable invoice and packing list.

 

the invoice has all the info on it: name, shipping address, billing address, shipping address, and credit card number and expiration date.

 

we then process the order through our in-house credit card machine. we treat it as a card-not-present sale. just like we would if the card wouldn't swipe from being demagnetized.

 

and i have no idea how it was configured.

 

we wanted an eCommerce website, and a former employee recommended osCommerce and set it all up for us.

 

 

i was trying to get a guy to chage our module to remove AmEx (which we don't accept) and add a box to ask for the 3-digit verivication number on the back of the card (which our machine is now asking for)

 

the guy i hired was flipping through these forums looking for the right contribution and stumbled upon these threads and asked me if our site was "CISP compliant"

 

and i had no idea what that meant!

 

an someone help me out?

 

are we in trouble here????

Link to comment
Share on other sites

the messages earlier in this thread explain it and give a link detailing CISP standards.

 

In summary if you are manually processing cards for internet orders then yes you are leaving yourself wide open for many reasons.

Link to comment
Share on other sites

the messages earlier in this thread explain it and give a link detailing CISP standards.

 

In summary if you are manually processing cards for internet orders then yes you are leaving yourself wide open for many reasons.

 

 

i am still confused....

 

even with a Secure SSL cert. i am still at risk?

 

 

can someone explain this further??

Link to comment
Share on other sites

SSL certs only secure the connection between the client and the webserver when transferring information. the SSL cert is a must when using any personla data to protect it from prying eyes.

 

The SSL cert does not protect the personal details / CC details once on your server or in your email.

 

The CC module that comes with osC stores half the details (unencryted) and the other half in sent via email (again unencryted). It is this stage that leaves you vunerable - if someone manages to hack into your database / intercept emails then you will be liable to huge fines from visa/mastervard as well as your bank.

 

You will also find that if your merchant bank finds you are processing internet orders via a manual terminal they will terminate your contract. You need to have a specific internet merchant account (IMA) to process payments taken over the internet, in the same way that you need a MOTO (mail order/telephone order) account for processing these payments. This is becuase they give different rates due to the differing levels of fraud.

 

CISP / PCI are the regulation regarding storing credit card details on computer.

 

Does that help?

 

Tom

Link to comment
Share on other sites

  • 2 weeks later...
SSL certs only secure the connection between the client and the webserver when transferring information. the SSL cert is a must when using any personla data to protect it from prying eyes.

 

The SSL cert does not protect the personal details / CC details once on your server or in your email.

 

The CC module that comes with osC stores half the details (unencryted) and the other half in sent via email (again unencryted). It is this stage that leaves you vunerable - if someone manages to hack into your database / intercept emails then you will be liable to huge fines from visa/mastervard as well as your bank.

 

You will also find that if your merchant bank finds you are processing internet orders via a manual terminal they will terminate your contract. You need to have a specific internet merchant account (IMA) to process payments taken over the internet, in the same way that you need a MOTO (mail order/telephone order) account for processing these payments. This is becuase they give different rates due to the differing levels of fraud.

 

CISP / PCI are the regulation regarding storing credit card details on computer.

 

Does that help?

 

Tom

Right now with the way our osCommerce is setup, we don't get an email with any info. We get an email that there is an order placed. Then we have to log onto the admin page and then into orders and in there we have a "Packing List" with only the reciept and shipping info and an "Invoice" with the billing address, shipping address, credit card number and expiration, as well as the items ordered.

 

What do I need to do to get it to split up the info?

 

And how tough is it to get it split into two seperate servers? Can I have it set up to store half the info on the server and half the info in my computer via email?

 

Is there a module or contribution for that?

Link to comment
Share on other sites

To "split it up" on two seperate servers means two dedicated servers, each running at least $100/month (at the very least). If you do not have at least that, you are not compliant and you are liable to massive fines from VISA/MC for every stolen card if your website gets broken into.

 

If you want to sleep well at night, get a payment gateway and purge your database of all card numbers. If you get caught, at the very least you'll be banned from using any merchant service. If not being able to accept credit cards would be detrimental to your business, I would suggest reading through and complying with the PCI regulations. You basically have a choice: An extra $10/month + 1% transaction fee or failed business and bankruptcy so that you can save a measely few bucks a month.

Edited by dynamoeffects

Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Link to comment
Share on other sites

To "split it up" on two seperate servers means two dedicated servers, each running at least $100/month (at the very least). If you do not have at least that, you are not compliant and you are liable to massive fines from VISA/MC for every stolen card if your website gets broken into.

 

If you want to sleep well at night, get a payment gateway and purge your database of all card numbers. If you get caught, at the very least you'll be banned from using any merchant service. If not being able to accept credit cards would be detrimental to your business, I would suggest reading through and complying with the PCI regulations. You basically have a choice: An extra $10/month + 1% transaction fee or failed business and bankruptcy so that you can save a measely few bucks a month.

 

Oh, I believe you. Just the owner doesn't buy it. We've been processing orders this way for years... 3 or 4 anyway. I just hired a friend to help us change our crdit card module and he ran across this thread in his research.

 

So I am in the process of trying to convince the "bosses" that we are in serious risk of a lot of trouble.

 

But I'm curious... $100/ month or $10/month?

 

And if we chose to go that route, is there a module / contribution to help split the data to two seperate servers?

 

 

And could you give me a link to some info I could print out and give to these guys so they know its serious trouble?

Link to comment
Share on other sites

No no, that's $100 per server, minimum for two bottom rung dedicated servers.

 

The reason your boss doesn't know about it is because it wasn't in force 4 years ago. From Visa's own site:

http://usa.visa.com/about_visa/press_resou...ases/nr367.html

 

Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.

 

Level 3 and 4 merchants are not being actively pursued at the moment, unless there was a security breach, but that's rumored to change in the next year. This year some of their fines for Level 1 and 2 merchants just shot up 3 fold.

 

And what's amazing is that this could all be avoided by a simple $10/month + 1%/transaction payment gateway.

Edited by dynamoeffects

Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Link to comment
Share on other sites

I believe we fall into the Level 4 Merchant class. We only process 20 order per month at the most. Is that correct?

 

Not that it changes anything, we need to get current anyway.

 

 

Also, if we switch to a payment gateway like paypal, is there a way to edit the order post-transaction?

 

(We deal in a lot of special items that get backordered, and often times have to contact out customers to change a color or an item. That has not been a problem when we have all the card info and contact info.)

Link to comment
Share on other sites

  • 3 months later...

Looking at processing my own cards and I'm getting conflicting info here.

 

I just informed my bank about the info I read here and they are telling me its all wrong and whoever is telling me this doesn't know what they are talking about.

 

This is giving me a head ache.

Link to comment
Share on other sites

  • 2 weeks later...

Having helped business for many years with banking/payment issues, here’s a summary.

 

As stated before holding credit card information on the site means you are liable and will most likely have to conform to the PCI compliance.

 

osc users already have ways of "appeasing" the banks. In short do not hold the card data together on the site for very long and have manual / automated procedures in place to ensure this.

 

- using the split card payment email, over a secure email, will ensure the card number is never help on the server.

- spliting the card information over multiple servers is a good option (as long as you have different passwords etc.

- if your capturing the cvv, i hope you are using my mod or another like it that alows you to delete the field once you have entered it into your PDQ or downloaded the information to your internal system.

- always but always have a clear out or encrypt the card info regularly.

- check those log files to ensure you’re not writing any of the info out somewhere.

- change your passwords on a regular basis and ensure they are large enough.

 

... im sure there are others but its too early to remember them all right now.

 

HTH

 

Si.

Edited by scranmer
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...