HappyPappy

coeytech, on 16 August 2011, 18:44, said:

You can't do this anymore without being fully PCI compliant certified. Your cart will need to be on a dedicated server which has its own dedicated hardware firewall if you are wanting to temporarily or permanently store cc data. This is why OSC gives the warning "Not for commercial use" etc on their manual module. There are a host of other requirements such as network security, security policies management etc but I won't get into any of that now.

I know it all sounds painfully over the top and pretty ridiculous but I'm only telling you how it is. At the end of the day it's your choice. But all it takes is one card holder questioning things with the appropriate authority and you could be in serious hot water if you are using the manual module and are not fully PCI compliant certified to do so.

You really can't mess with cc data any longer. Things have changed and while I personally don't think they have changed for the better the fact is that's the way it is now.

If you are a developer who creates an OSC site for your website customer that uses the manual module and you've blatantly ignored the need for PCI compliance certification then in my opinion you deserve to be hit bloody hard. That would be pure negligence on your part. As well as possibly having to face a fine and/or a penality or having your ability to process Visa and Mstercard transactions withdrawn your own site customer could sue the hell out of you.

I'd advise you (and everyone else) to play safe and simply use a proper PCI compliant manual payment gateway. Easy, safe and cheap, you don't have a worry in the world and you can charge cards offline manually like what you are wanting to do. Or use Pay Pal or use a real time payment processing gateway.

It is just not worth the risk anymore.

That's my 2c worth anyway.

toyicebear, on 09 August 2011, 06:27, said:

Absolutely correct Nick.

If people have a merchabnt account they use to charge credit cards received by card not present means, i.e., from a proper PCI compliant manual payment gateway, a fax machine, physical mail order or over the telephone where they charge the card after they have had time to verify things themselves, then they only need to ensure their merchant account is enabled for this. Like I said before, some term this is MOTO (mail order telephone order) enabling your merchant account.

Once this is done the merchant account (terminal or online virtual terminal) will not (it's not allowed to) require the CVV to be entered to charge the card, although it may still ask for it for those times as Nick has mentioned above.

You will then not have to worry about anything to do with CVV because it is not part of the official scheme when you manually (MOTO) process credit cards. And you will be be complying with PCI (assuming your oscommerce site doesn't touch or see the cc data and you destroy the card data once you charge the card of course).

Here's to staying safe everyone ...

Cheers

The official line from PCI is you do not need to do anything to protect the CVV in a temporary or permanent stored situation. In fact, in PCI DSS v 2.0 they mention protection for PIN and CVV as "N/A".

And why is this so you may ask ...

Because you will NEVER have the CVV or PIN in the fist place, therefore, protecting something you don't have in your possession is "N/A".

The CVV must NEVER NEVER NEVER be stored either temporarily of permanently, either encrypted or not, either broken up (truncated) or complete. In short, you can NOT capture the CVV in any way, shape or form under any circumstances. Period.

People are getting mixed up with the "live" online processing of credit cards i.e., the direct live communication between gateway and the merchant account for processing of credit cards instantly on the internet - this DOES REQUIRE the CVV to be entered.

But we are not talking about live online credit card processing. We are talking about capturing credit card details to enable the business owner to then charge the card via another means, perhaps offline or into their existing merchant account facility or into a terminal. It is important to understand the difference in order for you to follow what I am saying here. And there is a HUGE difference, one system transacts live online totally without you knowing, the other you control the charging and its cheaper.

If you have a merchant account that "requires" the CVV to be entered and won't let you charge the card without it, then it is not a merchant account approved to charge card not present credit card payments received. You not only risk the wrath of acting illegally under PCI but if your merchant account provider finds out then I would not like to be you.

Now, if your merchant account is approved to allow you to charge through it credit card payments received by card not present means - some term this as a MOTO enabled your merchant account - (mail order telephone order), then it can not possibly require the CVV to be entered. It may still ask for it but leave it blank and it will process the charge without it.

But lets say you have a MOTO enabled merchant account or a terminal, one that allows you to charge card not present payments received, and it still requires you to enter in the CVV, it won't let you charge the card without the CVV. Well, dump that merchant account provider because they are about to be taken out of business by the card vendors themselves.

Let me explain. For starters that would mean they are forcing you to act illegally under PCI. In otherwords, they are forcing you to somehow capture the CVV for you to have it in your possession in some way to have it to enter into your merchant account to charge the card. But this is 100% ILLEGAL under PCI - if you do that you are setting yourself up for fines and you could lose your right to processes Visa, Master Card and American Express Cards for good.

If this is you then I suggest ringing your merchant account provider up and ask them directly .. "How do you suggest I capture and temporarily store the CVV so I will have it to enter into your merchant account facility when I charge the card?" They will not be able to answer that because what their advice would be would have to be to you would be for you to act illegally. And if they did this and Visa or any of the other card vendors found out about it, they would be finished, big time.

If you are a developer and are setting something up for your client to manually capture the CVV, if and when they get caught they could simply put their hands in the air and say "its not our fault, our developer did this" so make sure you've got a huge amount of money in the bank to pay the fine!!!

My three osc's do things manually, I like being in total control of what I accept online and I process offline into my MOTO approved terminal. I use a proper manual payment gateway to handle credit cards online. I'm not going to mention them because I don't want to be seen as promoting them as I've mentioned them in almost all of my posts so far (I don't want to get into trouble with moderators).

My advice is simple, just make sure do things the rght way and make sure your merchant account provider is also doing things the right way. It's not that hard.

Cheers

DunWeb, on 07 August 2011, 23:49, said:

Ok, understand. Here is my reply ....
http://forums.oscommerce.com/topic/374988-credit-card-module/page__view__findpost__p__1596452

Cheers

DunWeb, on 07 August 2011, 23:49, said:

Point taken Chris, thank you.

Here is my reply ... http://forums.oscommerce.com/topic/374988-credit-card-module/page__view__findpost__p__1596452

Cheers