Jump to content
Latest News: (loading..)


  • Content count

  • Joined

  • Last visited

  • Days Won


Posts posted by toyicebear

  1. can anyone point me to the image plugins or add ons to replace the awful one that is given by default with oscommerce 2.3.1?


    the default one is resizing images on the fly with javascript, and this is unnacceptable.


    Use KissIT Image Thumbnailer for image resizing.


    yes, i found that one, but it says that multiple images do not have "alt" tags on them, and this cannot be fixed?

    im woried that this will affect search engine ranking and not be valid code html .


    That is not something to worry about, google will index your product pages just fine.


    If you are "concerned" about optimizing your pages to the MAX , then you can rip-out bxgallery and replace it with another image gallery solution as-well as modifying your shop to let you add in image alt tags for all product images in admin.

  2. now all the developers wil start winging that a complete cart will reduce their income.


    Its not about reduced income for developers, its about all the "bloat" which such "full" featured carts also have "included".


    A clean cart with the basic features included is often the best base to build a shop from, you will then be able to customize it to your particular business needs while still keeping it as lean and mean as possible.


    The problem with the current 2 series of oscommerce is that its not "modular" enough so installing add-ons usually include modifying core codes.


    And actually there is soooo much more money to be had for developers in carts like Magento, Prestashop and Magento. Firstly you make an add-on you can sell it through their marketplaces, then you get additional income from customization request on the same add-on, then you get even more income from those who sign-up for support and update packages for that add-on ++++


    Those carts are also way more complicated to modify, so most who DIY alot on their oscommerce cart would have to pay a developer to make close to any changes outside of standard functions, and due to the complexity of the code the number of qualified developers are smaller which in turn means that the prices are higher.

  3. Relationship between PCI DSS and PA-DSS

    Clarified that use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant.


    When it comes to protecting yourself/your business from liabilities do not take the word of internet keyboard warriors at face value. (especially when they are interpreted to favor their own practices)


    Contact your own merchant account provider and get clarification on any issues/questions. (If you are "afraid" to mention your current practices to your merchant account provider then that itself should be a HUGE flashing warning sign that you are probably doing something incorrectly)


    If you fail to do your "due diligence" and just plod on as before, one day you might get a very nasty surprise when you find out that lamenting "BUT I DID NOT KNOW THAT" or "BUT I THOUGHT IT MEANT THAT" or "MY INTERPRETATION OF THAT WAS" does not hold much weight when i comes to payment data security.

  4. Put on your reading glasses and read 3.2.2 and take note that outside of other card authorization information that CVV2 (card verification code) is specifically mentioned and that it should not be stored under any circumstances.


    verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored under any circumstance


    For anyone who are still unsure they should contact their merchant account provider and inquire about manually processing of orders where the payment information has been collected online.

  5. I'm not using the correct terminology, CVV, CVV2, CV2... Whatever the 3-digit "magic number" on the back is called. PCI 2, section 3.2 specifically says it can be saved long enough to process and get authorization, and then must be deleted. It further states that it can still be saved, in a safe and secure manner if there is a valid business case to be made for doing so.


    No, CVV2, CVC2, CID, CAV2 falls under 3.2.2 which you are not allowed to store under any circumstances.


    PCI DSS V2



    3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.


    Testing Procedures:

    3.2.2 For a sample of system components, examine data sources, including but not limited to the following, and verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored under any circumstance:

  6. 1. Check that your merchant account agreement allows you to manually process payments where info has been collected online. HINT: In most cases it will be against your TOS.


    2. If you wish to manually process payments with info collected online, do not use CVV2 you are not allowed to save it in any form. (even if you delete it after use)


    In regards to Manual processing CVV2 is only for real time use, when the customer are talking to you on the phone or standing in front of you and you key it directly into the MOTO terminal.


    Even if you follow 1 and 2 , if you are not PCi compliant you are even then liable for fines and sanctions from merchant account providers and credit card companies.


    And in some countries and states/areas it is even against the law to handle payment data in an insecure way. (And this is an area which is only getting more and more regulated)


    So the short version, if you are not PCI compliant use a 3 party payment provider instead.


    That a online payment gateway to process cc is 20 usd a month is not a valid argument , you can get a PayPal account for free and with no monthly fees. (there are several other alternatives too without monthly fees)

  7. If you save the info and process it manually then you are taking a large risk for saving some pennies.


    Even if you are in a country (or state) where you currently are not required by law to follow the PCI regulations, you are still liable for sanctions and fines from your merchant account provider, Visa and Master Card.


    And if someone manages to sift payment information from you and it is shown that you have been lax in handling customer payment data, then this will impact your business reputation as-well as open your for civil suits from your customers.

  8. PayPal Express will work as a fast checkout for customer that already have a PayPal account. If a customer have a PayPal account they will then be able to simply loginto their PayPal account and then checkout without filling in more personal info. An account is still created for them in the shop but this is done "automatically" in the background.


    "Guest" checkout for 2.2 - Purchase Without Account


    "Guest checkout" for 2.3 - Consolidated Login with Guest Checkout for 2.3.1 v1.0

  9. So then you have to go through over 6,000 add ons, read through each one to figure it out?


    No, make yourself familiar with all the functions in standard oscommerce and then sit down and make an assessment of what other functionality you want/need.


    When you have determined what functionality you want/need you go to the add-ons section and look/search for add-ons there which will give you the wanted functionality.

  10. Hi, I also installed the PayPal Standard Website Payments module in my osc 2.3.1 shop.

    I got it all figured out so far, payments through sandbox are going okay, but I still have one issue:


    After completing payment the PayPal website doesn't return to my shop url automatically. The buyer has 2 options; return to the shop (needed for confirmation e-mails and close the order) or he can choose to go to his PayPal account. This last option will propably cause the order never to be completed (checkout_process.php / checkout_success.php will never be reached). And yes, I did setup a callback url (checkout_process.php) in my Paypal preferences... how to make sure the buyer will be redirected to the shop after payment?? (these tests are done in sandbox)


    If you use the "default" PayPal Standard Website Payments in 2.3.1 , the customer does not need to return back to your shop for the order to be updated. This is an "IPN" style module so the order status will be updated in the "background" anyway.