I'm running oscommerce 2.2MS2 and using the default cc module. I've got it set to split the cc # to my email. What I need to do is also grab the CVV # to process cards. I know you're not allowed to store the CVV#, but would it be acceptable to split it as well so I get half of each in the email? Is there any module that will do this? I noticed several modules to enable CVV but had no idea which one would work best .. any suggestions?
Latest News: (loading..)
0
CVV?
Started by NEWPRob, Apr 17 2010 04:29 PM
8 replies to this topic
#2
geoffreywalton
-
- Community Sponsor
-
- 8,037 posts
Contact me for Support
- Real Name:Geoffrey Walton
- Gender:Male
- Location:Norfolk, UK (close to the centre of the universe)
Posted 17 April 2010 - 07:30 PM
Rob
Most osc sites are not PCI compliant and thus you must not store cc info on your site.
You have to use 3rd party ard processors such as paypal/protx.
So take this as a No, no ,no and no and no to any other question. :-)
G
Most osc sites are not PCI compliant and thus you must not store cc info on your site.
You have to use 3rd party ard processors such as paypal/protx.
So take this as a No, no ,no and no and no to any other question. :-)
G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile
Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.
For links mentioned in old answers that are no longer here follow this link Useful Threads.
If this post was useful, click the Like This button over there ======>>>>>.
Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.
For links mentioned in old answers that are no longer here follow this link Useful Threads.
If this post was useful, click the Like This button over there ======>>>>>.
#3
Posted 18 April 2010 - 12:07 AM
So is it still considered 'storing' the information if it's in two seperate pieces in two different places?
I guess the question still is . . which cvv addon would you suggest, even if not PCI compliant?
I plan to use gunpal as soon as a module for it becomes available for osc, as paypal's TOS is very restrictive.
I guess the question still is . . which cvv addon would you suggest, even if not PCI compliant?
I plan to use gunpal as soon as a module for it becomes available for osc, as paypal's TOS is very restrictive.
#4
cannuck1964
-
- Partner
-
- 1,131 posts
Contract Coder
- Real Name:Peter McGrath
- Gender:Male
- Location:Ontario, Canada
Posted 04 August 2011 - 02:44 PM
Quote
So is it still considered 'storing' the information if it's in two seperate pieces in two different places?
Yes, this also leaves you open to liability issues, and if the credit card companies find out, they can remove your credit card processing entirely from your business (and sue you for any losses they incurred).
Quote
Most osc sites are not PCI compliant and thus you must not store cc info on your site.
The CVV is never to be stored, it is used and discarded, even PCI does not allow for the saving of this value..
cheers
Peter McGrath
-----------------------------
See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation
-----------------------------
See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation
#5
Posted 07 August 2011 - 02:37 PM
cannuck1964 is correct.
But if you have a MOTO system approved to allow you to charge card not present credit card payments received it is NOT ALLOWED to require you to enter the CVV.
It may still ask for it but it won't require it. If it does then contact Visa and the merchant account provider will be in more hot water than a lobster at the local seafood restaurant.
The issue is the CVV must NEVER NEVER NEVER be written down, recorded or stored in any way, shape or form, either temporarily or permanently, either in part (truncated) or in whole, either encrypted or not.
Therefore, if your merchant account provider is expecting you to have the CVV to enter it from a card not present payment made to you, simply ask them how do they propose you have the CVV in your possession to enter it? There will be a long pause then the penny will drop for the guy/girl you are talking to because that will mean they are forcing you to capture, write down or temporarily store the CVV - in short they are forcing you to act illegally under PCI which means not only you could be hit with a massive fine but you and they could both lose the right to handle the Visa card product (and other card brands too).
I've been using e-Path (http://e-path.com.au) for a while now because I like processing the cards myself offline and I don't have to worry about PCI.
Not sure if this info is helpful but I thought I'd clear things up anyway.
But if you have a MOTO system approved to allow you to charge card not present credit card payments received it is NOT ALLOWED to require you to enter the CVV.
It may still ask for it but it won't require it. If it does then contact Visa and the merchant account provider will be in more hot water than a lobster at the local seafood restaurant.
The issue is the CVV must NEVER NEVER NEVER be written down, recorded or stored in any way, shape or form, either temporarily or permanently, either in part (truncated) or in whole, either encrypted or not.
Therefore, if your merchant account provider is expecting you to have the CVV to enter it from a card not present payment made to you, simply ask them how do they propose you have the CVV in your possession to enter it? There will be a long pause then the penny will drop for the guy/girl you are talking to because that will mean they are forcing you to capture, write down or temporarily store the CVV - in short they are forcing you to act illegally under PCI which means not only you could be hit with a massive fine but you and they could both lose the right to handle the Visa card product (and other card brands too).
I've been using e-Path (http://e-path.com.au) for a while now because I like processing the cards myself offline and I don't have to worry about PCI.
Not sure if this info is helpful but I thought I'd clear things up anyway.
#6
DunWeb
-
- Members
- 12,732 posts
The Censored One
- Real Name:Chris
- Gender:Male
- Location:Ontario, Canada
Posted 07 August 2011 - 03:55 PM
Peter's link only applies to Australian companies.
Chris
Chris
#7
Posted 07 August 2011 - 11:17 PM
DunWeb, on 07 August 2011 - 03:55 PM, said:
Peter's link only applies to Australian companies.
e-Path Website said:
e-Path also provides our payment gateway service to business owners outside Australia that have merchant account facilities with banks in New Zealand, United Kingdom, Europe, South Africa, United States and Canada. Just like a fax machine or a telephone e-Path knows no borders.
Edited by HappyPappy, 07 August 2011 - 11:20 PM.
#8
DunWeb
-
- Members
- 12,732 posts
The Censored One
- Real Name:Chris
- Gender:Male
- Location:Ontario, Canada
Posted 07 August 2011 - 11:49 PM
To avoid cross posting, See this thread for correct information: http://forums.oscommerce.com/topic/374988-credit-card-module/page__gopid__1596447#entry1596447
Chris
Chris
#9
Posted 08 August 2011 - 12:30 AM
DunWeb, on 07 August 2011 - 11:49 PM, said:
To avoid cross posting...
Chris
Chris
Here is my reply ... http://forums.oscommerce.com/topic/374988-credit-card-module/page__view__findpost__p__1596452
Cheers
