Jump to content



Photo

CVV?


  • Please log in to reply
8 replies to this topic

#1   NEWPRob

NEWPRob
  • Members
  • 19 posts
  • Real Name:Rob

Posted 17 April 2010 - 16:29

I'm running oscommerce 2.2MS2 and using the default cc module. I've got it set to split the cc # to my email. What I need to do is also grab the CVV # to process cards. I know you're not allowed to store the CVV#, but would it be acceptable to split it as well so I get half of each in the email? Is there any module that will do this? I noticed several modules to enable CVV but had no idea which one would work best .. any suggestions?

#2   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 17 April 2010 - 19:30

Rob

Most osc sites are not PCI compliant and thus you must not store cc info on your site.

You have to use 3rd party ard processors such as paypal/protx.

So take this as a No, no ,no and no and no to any other question. :-)

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#3   NEWPRob

NEWPRob
  • Members
  • 19 posts
  • Real Name:Rob

Posted 18 April 2010 - 00:07

So is it still considered 'storing' the information if it's in two seperate pieces in two different places?

I guess the question still is . . which cvv addon would you suggest, even if not PCI compliant?

I plan to use gunpal as soon as a module for it becomes available for osc, as paypal's TOS is very restrictive.

#4   cannuck1964

cannuck1964

    Contract Coder

  • Partner
  • 1,138 posts
  • Real Name:Peter McGrath
  • Gender:Male
  • Location:Ontario, Canada

Posted 04 August 2011 - 14:44

So is it still considered 'storing' the information if it's in two seperate pieces in two different places?


Yes, this also leaves you open to liability issues, and if the credit card companies find out, they can remove your credit card processing entirely from your business (and sue you for any losses they incurred).


Most osc sites are not PCI compliant and thus you must not store cc info on your site.


The CVV is never to be stored, it is used and discarded, even PCI does not allow for the saving of this value..

cheers
Peter McGrath
-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

#5   HappyPappy

HappyPappy
  • Members
  • 50 posts
  • Real Name:Peter

Posted 07 August 2011 - 14:37

cannuck1964 is correct.

But if you have a MOTO system approved to allow you to charge card not present credit card payments received it is NOT ALLOWED to require you to enter the CVV.

It may still ask for it but it won't require it. If it does then contact Visa and the merchant account provider will be in more hot water than a lobster at the local seafood restaurant.

The issue is the CVV must NEVER NEVER NEVER be written down, recorded or stored in any way, shape or form, either temporarily or permanently, either in part (truncated) or in whole, either encrypted or not.

Therefore, if your merchant account provider is expecting you to have the CVV to enter it from a card not present payment made to you, simply ask them how do they propose you have the CVV in your possession to enter it? There will be a long pause then the penny will drop for the guy/girl you are talking to because that will mean they are forcing you to capture, write down or temporarily store the CVV - in short they are forcing you to act illegally under PCI which means not only you could be hit with a massive fine but you and they could both lose the right to handle the Visa card product (and other card brands too).

I've been using e-Path (http://e-path.com.au) for a while now because I like processing the cards myself offline and I don't have to worry about PCI.

Not sure if this info is helpful but I thought I'd clear things up anyway.

#6   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts
  • Real Name:Chris
  • Gender:Male
  • Location:Ontario, Canada

Posted 07 August 2011 - 15:55

Peter's link only applies to Australian companies.





Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#7   HappyPappy

HappyPappy
  • Members
  • 50 posts
  • Real Name:Peter

Posted 07 August 2011 - 23:17

Peter's link only applies to Australian companies.

No, anybody can use e-Path. I found the following, quoted from: http://e-path.com.au/about_e-path.html ....

e-Path also provides our payment gateway service to business owners outside Australia that have merchant account facilities with banks in New Zealand, United Kingdom, Europe, South Africa, United States and Canada. Just like a fax machine or a telephone e-Path knows no borders.

Cheers

Edited by HappyPappy, 07 August 2011 - 23:20.


#8   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts
  • Real Name:Chris
  • Gender:Male
  • Location:Ontario, Canada

Posted 07 August 2011 - 23:49

To avoid cross posting, See this thread for correct information: http://forums.oscomm...47#entry1596447




Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#9   HappyPappy

HappyPappy
  • Members
  • 50 posts
  • Real Name:Peter

Posted 08 August 2011 - 00:30

To avoid cross posting...
Chris

Point taken Chris, thank you.

Here is my reply ... http://forums.oscomm...ost__p__1596452

Cheers