79 replies to this topic

[thall89553]

I went through the twenty steps to install this add on but am confused in that I do not see a CVV form field on my checkout_payment.php page. I see the name, card number, expiration month & year, BUT NO CVV field.

Also, I see these lines of code put out a form field and some text, but where can I modify what is being put out? Is this "$selection[$i]['fields'][$j]['title']" a fucntion call?

for ($j=0, $n2=sizeof($selection[$i]['fields']); $j<$n2; $j++) {
echo $selection[$i]['fields'][$j]['title'];
echo $selection[$i]['fields'][$j]['field'];
}

Thanks.

Tom

[germ]

HappyPappy, on 09 August 2011, 03:47, said:

The official line from PCI is you do not need to do anything to protect the CVV in a temporary or permanent stored situation. In fact, in PCI DSS v 2.0 they mention protection for PIN and CVV as "N/A".

And why is this so you may ask ...

Because you will NEVER have the CVV or PIN in the fist place, therefore, protecting something you don't have in your possession is "N/A".

The CVV must NEVER NEVER NEVER be stored either temporarily of permanently, either encrypted or not, either broken up (truncated) or complete. In short, you can NOT capture the CVV in any way, shape or form under any circumstances. Period.

People are getting mixed up with the "live" online processing of credit cards i.e., the direct live communication between gateway and the merchant account for processing of credit cards instantly on the internet - this DOES REQUIRE the CVV to be entered.

But we are not talking about live online credit card processing. We are talking about capturing credit card details to enable the business owner to then charge the card via another means, perhaps offline or into their existing merchant account facility or into a terminal. It is important to understand the difference in order for you to follow what I am saying here. And there is a HUGE difference, one system transacts live online totally without you knowing, the other you control the charging and its cheaper.

If you have a merchant account that "requires" the CVV to be entered and won't let you charge the card without it, then it is not a merchant account approved to charge card not present credit card payments received. You not only risk the wrath of acting illegally under PCI but if your merchant account provider finds out then I would not like to be you.

Now, if your merchant account is approved to allow you to charge through it credit card payments received by card not present means - some term this as a MOTO enabled your merchant account - (mail order telephone order), then it can not possibly require the CVV to be entered. It may still ask for it but leave it blank and it will process the charge without it.

But lets say you have a MOTO enabled merchant account or a terminal, one that allows you to charge card not present payments received, and it still requires you to enter in the CVV, it won't let you charge the card without the CVV. Well, dump that merchant account provider because they are about to be taken out of business by the card vendors themselves.

Let me explain. For starters that would mean they are forcing you to act illegally under PCI. In otherwords, they are forcing you to somehow capture the CVV for you to have it in your possession in some way to have it to enter into your merchant account to charge the card. But this is 100% ILLEGAL under PCI - if you do that you are setting yourself up for fines and you could lose your right to processes Visa, Master Card and American Express Cards for good.

If this is you then I suggest ringing your merchant account provider up and ask them directly .. "How do you suggest I capture and temporarily store the CVV so I will have it to enter into your merchant account facility when I charge the card?" They will not be able to answer that because what their advice would be would have to be to you would be for you to act illegally. And if they did this and Visa or any of the other card vendors found out about it, they would be finished, big time.

If you are a developer and are setting something up for your client to manually capture the CVV, if and when they get caught they could simply put their hands in the air and say "its not our fault, our developer did this" so make sure you've got a huge amount of money in the bank to pay the fine!!!

My three osc's do things manually, I like being in total control of what I accept online and I process offline into my MOTO approved terminal. I use a proper manual payment gateway to handle credit cards online. I'm not going to mention them because I don't want to be seen as promoting them as I've mentioned them in almost all of my posts so far (I don't want to get into trouble with moderators).

My advice is simple, just make sure do things the rght way and make sure your merchant account provider is also doing things the right way. It's not that hard.

Cheers

toyicebear, on 09 August 2011, 06:27, said:

The only time CVV can be entered manually into a terminal is if the customer stands in-front of you with their card, showing you the cvv or giving you the card so that you can read it and enter it in directly into the terminal, or you are talking to them on the telephone and they tell you the CVV number and you input it directly into the terminal.

As the poster mentioned above it can not be stored, written down or otherwise "saved".

[ben.maleki]

Does anyone know if this version works with osCommerce 2.3.1?

[DunWeb]

@ben.maleki,

The module was removed from the v2.3.1 release. It violates PCI DSS laws now enforced in most of North America.




Chris

[ben.maleki]

what's the best alternative? PayPal

[DunWeb]

@ben.maleki,

You can use any of the available online processors, or you can become PCI DSS compliant and install an on site credit card module.



Chris

[ben.maleki]

my web designer installed this version on my website what is the best way to remove it? can I just remove it from the admin page in the Payment Modules?

[DunWeb]

@ben.maleki,

You can delete the module from the /includes/modules/payment/ and the /includes/languages/english/modules/payment/ directories and THEN, you will need to remove the tables from the database. This is the crucial part because that is where the data is stored.



Chris

[ben.maleki]

can you tell me how to remove it from the database? is it as easy as installing it to the database?

[ggrant3]

So is there a contribution for v 2.3 to collect the card number so it can be entered manually into an existing merchant account/terminal (without the cvv)?

I know in v2.2 there is a contribution (I think it may be this one) that splits the card # and stores the first 4 and the last 4 #'s in the db and then emails the middle 8 digits, that way the whole number is not stored. Is there a contribution like that for v2.3?

I haven't upgraded to v2.3 yet and I have been considering it the past few days, but I already have a merchant account in my store and getting a separate one just for the osc site doesn't make sense to me (if you are even allowed to have two merchant accounts)

[DunWeb]

@ggrant3,

Quote

I know in v2.2 there is a contribution (I think it may be this one) that splits the card # and stores the first 4 and the last 4 #'s in the db and then emails the middle 8 digits, that way the whole number is not stored. Is there a contribution like that for v2.3?

The contribution for 2.2 could be updated for use with v2.3.1, HOWEVER when the contribution for v2.2 was created there was no LAW against the collection and processing of credit card information. The contribution use is NOT suggested. Read about PCI DSS compliance here. It may vasy slightly depending on the state/ province you are located in, but the basics are presented in that link.


Chris

[toyicebear]

ggrant3, on 03 February 2012, 02:22, said:

So is there a contribution for v 2.3 to collect the card number so it can be entered manually into an existing merchant account/terminal (without the cvv)?

I know in v2.2 there is a contribution (I think it may be this one) that splits the card # and stores the first 4 and the last 4 #'s in the db and then emails the middle 8 digits, that way the whole number is not stored. Is there a contribution like that for v2.3?

I haven't upgraded to v2.3 yet and I have been considering it the past few days, but I already have a merchant account in my store and getting a separate one just for the osc site doesn't make sense to me (if you are even allowed to have two merchant accounts)

Close to any 2.2 module can be made to work with 2.3.1 , but in most cases you dont need to get a new "merchant account" you can simply talk to your current provider and ask them about also using it with an online shop and what payment gateways they are compatible with....

[ggrant3]

toyicebear, on 03 February 2012, 02:31, said:

Close to any 2.2 module can be made to work with 2.3.1 , but in most cases you dont need to get a new "merchant account" you can simply talk to your current provider and ask them about also using it with an online shop and what payment gateways they are compatible with....

Right now I am just using Paypal's virtual terminal. That way I can process someone in front of me or a mail/phone/website order.

So I guess it would be safe to assume that osc has a contribution that would use my paypal account to automatically process a site order, right? I just get overwhelmed trying to figure out all the terminology and getting everything setup, although I may very well be making it out to be harder than it really is.

I just want it "seamless" for the customer because I use to use some kind of paypal payment system they have (with my old html site) and when a customer got to the payment process they got confused because they were getting redirected to Paypal's site. And they got nervous or said they didn't want to pay via paypal (thinking Paypal itself was their only option), because it would show a login in screen for Paypal and have a very small text link saying they could pay without logging in or creating a paypal account, but it confused at least 80% of my customers.

Is there a straight forward (proven to work fine, without bugs) paypal integrated payment contribution, that you could recommend? Or is that built into osc already maybe?

[DunWeb]

@ggrant3,

There are MANY payment methods built into osCommerce v2.3.1, including several versions of osCommerce. You should be able to find one that suits your needs.



Chris

[ggrant3]

Okay so I need a little more clarification with this.

I see collecting the CVV is bad. In the contribution that I have, there is an option to turn the CVV requirement on/off. So I have it set to off now.

But is it still considered "bad/illegal" to have the customer enter their credit card information onto my site and then have the middle 8 digits striped from the order and emailed to me separately so I can maually enter their credit card information (like a phone order would be processed)? Since nothing crucil is then stored on the database (only the first and last 4 digits and the exp date, which would be uselss) is this okay or not okay?

[DunWeb]

@ggrant3

Actually, your missing the point. Under the new PCI DSS Compliance Act, NO credit card information can be collected, processed and stored without your company being PCI DSS Certified.

So, in summary. Without certication, you CANNOT ask your customers for their credit card information.


Chris

[ggrant3]

DunWeb, on 14 February 2012, 03:54, said:

@ggrant3

Actually, your missing the point. Under the new PCI DSS Compliance Act, NO credit card information can be collected, processed and stored without your company being PCI DSS Certified.

So, in summary. Without certication, you CANNOT ask your customers for their credit card information.


Chris

Apparently I am.

Isn't PCI DSS Compliance something that cost hundreds of thousands of dollars to get? Or is that something else related to being allowed to receive/store credit card information?

[toyicebear]

To get Level 4 PCI compliance is not that expensive. BUT you will still not be able to save cc information for later manual processing. You will on the other hand be able to let the customer input the cc date on your site which is then transmitted to a payment gateway in real time online. (Like Authorise.net, PayPal Pro, PayPal PayFlow and so on)

[mvanderhoff]

Tried this contribution out but it seems that if you enter the wrong information it kicks you back but does not alert you to what you did wrong. Any suggestions?

[DunWeb]

@mvanderhoff

Matt, if you have read this thread you will have noticed that this contribution is no longer supported because it violates recent PCI DSS compliance laws. If you have it installed on your website, I suggest you remove it.



Chris