Jump to content
Sign in to follow this  
IanWharton

CC module | More cards, issue number, ccv

Recommended Posts

Okay, have added the above script so that I can have a CVV field, but I don't see it when I check out...

 

did I do something wrong?!

 

 

OKay, I'm dense. I just forgot to upload one file. It's fixed now. :blush:

Share this post


Link to post
Share on other sites

Great thread you guys!

 

I'm very new to osC and online payment systems.

 

I just stumbled onto this and it looks like exactly what I"m looking for. I'm attempting to open an online mulitmedia store.... all downloadable content. I was looking for a secure option that allowed credit card processing right from within the store.

 

Ok, correct me if I'm wrong... So by using the above mentioned method, I wouldn't need to use payment gateway such as Worldpay? But I would still need a merchant account? I'm in the US but need to sell globally since shipping isn't a need for me. What Merchant Accounts are you guys using?

 

Thanks for any insight! This place is great. :)

Edited by NiceGuyEd

Share this post


Link to post
Share on other sites

this is very good information for someone who is processing cards manually.

 

my question for secretuser:

are any of these security steps helpful if you are processing with a payment gateway/merchant acct?

 

[i'm thinking that the admin security contrib may be helpful for anyone wanting to prevent a general hack?]

 

thanks!

a.

Share this post


Link to post
Share on other sites

Does anyone know how to make the ez secure contribution work with maxmind. I like the idea of securing my customers info., but would also like the convienience of automatically running the credit card number through maxmind, rather than doing each by hand. With both installed at the same time, credit cards don't get through maxmind.


Is it reality or just a dream, for some there is no difference.

Share this post


Link to post
Share on other sites
Im astonished with the limitations of the cc module. Clients need to be able to handle more cards. Switch, solo, collect ccv, issue numbers. Not everyone needs to use thrid party payment software/companies.

 

I know there is the cc_ccv++ mod, but it is no use on MS2 or higher.

 

I cant believe there are no more options to oscommerce. In the UK switch and solo cards account for 33% of all consumer transactions.

We dont want to use any payment gateway, as the client has a pdq machine, but can someone who knows the community shed some light as to whats available?

 

Regards,

Ian Wharton

Liquideye-designs.com

 

I would like everyone to think what I am about to say. I know I posted a reply on this subject before, I have now learned more. Please think of this before you knock third party payment services for your OSC website.

 

First it is to me very high risk to be collecting credit card information and keeping it in your company. Reason: You do not have to get hacked to have that information stolen. It could even be from home. Second I think there is a law, I do not know if it is in Europe, but I know in the US it is against the law to hold that information in your business if you are not a legal financial institution. To me you are putting your business in jeopardy if a customer finds out you are holding that sensitive information. Think of it. Would you want someone holding your personal credit card information on their database, in their email account and in a separate file of their home? It would make me plenty nervous. Second: You want to protect your business as well as your customer's sensitive information so you want the backing of a legally financial security third party company processing this, because it protects your business and the customers so that you do not take that responsibility in hand. Third: the cost of a third party merchant service is tax deductible. It is a full business expense. You loose nothing, if you are handling your business finances right.

 

So to keep security in place, get other very legally financial third party companies helping you. It is for your protection as well as your customers. And personally I would not want to visit any of your websites if that is what you are doing and not informing me you are doing that. Think about it seriously.

 

Next understand this; it is to me a very immature business practice if you wish to collect credit card information over the web and manual charge the card. Every online store can not have a physical store?s privileges. Even they do not keep your information, their merchant services helps them with that. When they swipe the card, they do not see the card code and record it. It is transferred after the swipe and charged. To get refunded you need to re-swipe the card and do something different. Regardless do not think it is okay to do this same transaction online. Think of the customer, and don't put your business at risk.

 

This is what I am doing now; I have used the Authorized.net contribution and have a third party company using Authorize.net as a gateway. With online orders the credit card information is directly fed to Authorize.net. I log in to Authorize.net and check to see it passed billing address and card code verification. I do not see card code information at Authorize.net; only see that it matched the customers input. If not the card is automatically declined and I hold no responsibility to this person's credit card information. But if all checks out, I verify the customers shipping information accept the transacting pending at Authorize.net and process the customers order. Authorize.net is a well known service that offers many secure ways of processing many different credit card transactions. The only information held in your possession is the customers address. Authorize.net processes the credit card transaction, and the customer is secure. Plus you are secure because any problem on your end keeps you clear of that information. I gratefully thank and honor the tremendous work that Austin519 did with the contribution of Authorize.net. It works perfectly at my site, and I could not be happier.

 

My site is HWRebuild.com - We are growing and growing with maturity, business wise.

 

I would love to hear others thoughts on what I just said. But I strongly recommend you use a legal third party merchant service, whether it is from your bank where your business account is held at or one of the resellers of Authorize.net, or any other merchant service. Take time and do some research on them. I strongly feel it is a very immature business practice if you are collecting payment information this way just to cut out merchant payments. This is very risky both for your customers and your business. Good luck.

Share this post


Link to post
Share on other sites

Not to sound like too much of a noob here, but does anyone have one complete Credit Card Module. All the other stuff I can do, but this is what I'm looking for: A Complete Credit Card Module that will automatically handle transactions. If it won't work with all countries then that's fine, I'll just start from there.

 

Any suggestions?

 

Thanks,

 

-Kel


No Great Man ever complains of want of opportunity... sieze the day.

Share this post


Link to post
Share on other sites
First it is to me very high risk to be collecting credit card information and keeping it in your company.  Reason:  You do not have to get hacked to have that information stolen.  It could even be from home.  Second I think there is a law, I do not know if it is in Europe, but I know in the US it is against the law to hold that information in your business if you are not a legal financial institution.  To me you are putting your business in jeopardy if a customer finds out you are holding that sensitive information.  Think of it.  Would you want someone holding your personal credit card information on their database, in their email account and in a separate file of their home?  It would make me plenty nervous.  Second:  You want to protect your business as well as your customer's sensitive information so you want the backing of a legally financial security third party company processing this, because it protects your business and the customers so that you do not take that responsibility in hand.  Third: the cost of a third party merchant service is tax deductible.  It is a full business expense.  You loose nothing, if you are handling your business finances right.

 

So to keep security in place, get other very legally financial third party companies helping you.  It is for your protection as well as your customers.  And personally I would not want to visit any of your websites if that is what you are doing and not informing me you are doing that.  Think about it seriously.

 

Next understand this; it is to me a very immature business practice if you wish to collect credit card information over the web and manual charge the card.  Every online store can not have a physical store?s privileges.  Even they do not keep your information, their merchant services helps them with that.  When they swipe the card, they do not see the card code and record it.  It is transferred after the swipe and charged.  To get refunded you need to re-swipe the card and do something different.  Regardless do not think it is okay to do this same transaction online.  Think of the customer, and don't put your business at risk.

 

This is what I am doing now; I have used the Authorized.net contribution and have a third party company using Authorize.net as a gateway.  With online orders the credit card information is directly fed to Authorize.net.  I log in to Authorize.net and check to see it passed billing address and card code verification.  I do not see card code information at Authorize.net; only see that it matched the customers input.  If not the card is automatically declined and I hold no responsibility to this person's credit card information.  But if all checks out, I verify the customers shipping information accept the transacting pending at Authorize.net and process the customers order.  Authorize.net is a well known service that offers many secure ways of processing many different credit card transactions.  The only information held in your possession is the customers address.  Authorize.net processes the credit card transaction, and the customer is secure.  Plus you are secure because any problem on your end keeps you clear of that information.  I gratefully thank and honor the tremendous work that Austin519 did with the contribution of Authorize.net.  It works perfectly at my site, and I could not be happier.

 

My site is HWRebuild.com - We are growing and growing with maturity, business wise.

 

I would love to hear others thoughts on what I just said.  But I strongly recommend you use a legal third party merchant service, whether it is from your bank where your business account is held at or one of the resellers of Authorize.net, or any other merchant service.  Take time and do some research on them.  I strongly feel it is a very immature business practice if you are collecting payment information this way just to cut out merchant payments.  This is very risky both for your customers and your business.  Good luck.

 

This is an excellent post and I agree with some of your points.

 

1) There is a risk no matter what you do that information gets compromised.

 

2) I like to control the purchase before charging the card. I want to do various forms of verification including IP address checking and other items which a payment gateway might not do as I am ultimately responsible for fraud, not the payment gateway. Once I do this, I will manually run the card with AVS and other checking through my merchant account gateway.

 

3) I agree that it is bad business practice to hold someones credit information on your email, database, and in hard copy. I wouldn't want someone else to do this, and I wont do this to anyone else either.

 

4) I strongly recommend using two separate servers, one for your email account and one for OS Commerce if you do this to add an extra level of protection (still no guarantees).

 

5) Once I get an email, I charge the card immediately and delete the email, the CVV number, and the credit card number.

 

6) I use a manual encrypted payment gateway in which my merchant account company keeps all records of the CVV, credit card number and everything else, so I don't need to keep a hard copy.

 

7) Once charged, everything pretty much gets wiped out with respect to the credit card, there are no hard copies maintained by me. If I want to refund the person, I must log into my manual gateway and order a refund. The merchant company has the information on file, I just click on the transaction I am refunding and it is refunded.

 

8) If my site gets hacked, which it very well can be (I trust no software), it is unlikely to have any credit card information. If my office gets burglarized, there will be no credit card information as nothing is kept in digital or hard copy by my company once the charge is made.

 

9) It is against the merchant agreement to keep the CVV number for more than a day or two. No matter what you do, you must destroy this number, you may not keep it.

 

10) I totally agree with you that if you are using this method, YOU MUST DISCLOSE this to your customer. My payment FAQ section completely discloses how my company maintains data security and the risks involved including the fact that transactions are done off-line, portions of information are sent in unsecure email, and portions are kept on a more secure database. I have always disclosed this in the FAQ section on data security.

 

The points I had made several months ago were for those who were intent on using the OSCommerce credit card module. If one is going to use it, then I have tried to offer the best suggestions I could think of to keep the information as secure as possible.

Share this post


Link to post
Share on other sites

How up to date is the advice on this?


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×