Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Encrypting Credit Card Number (cc_number) in OSC


nfrobertson

Recommended Posts

I'm having a problem with this. I've installed this last year (without zapt) and it was working fine until this week.

 

I'm getting the following error on my invoice page

Warning: mdecrypt_generic() [function.mdecrypt-generic]: An empty string was passed in /home/[account_name]/public_html/801/store/admin/includes/functions/cc_crypt.php on line 36

 

I'm getting similar errors on other pages including checkout_process.php when a customer selects the check/money order payment method.

 

The credit card transactions have no problems.

 

I haven't changed the pages or the servers but I know they did some server maintencance so I checked if mcrypt was enabled and it was.

 

If anyone can help me out, I would really appreciate it.

Link to comment
Share on other sites

  • Replies 68
  • Created
  • Last Reply
I'm having a problem with this. I've installed this last year (without zapt) and it was working fine until this week.

 

I'm getting the following error on my invoice page

I'm getting similar errors on other pages including checkout_process.php when a customer selects the check/money order payment method.

 

The credit card transactions have no problems.

 

I haven't changed the pages or the servers but I know they did some server maintencance so I checked if mcrypt was enabled and it was.

 

If anyone can help me out, I would really appreciate it.

 

*Edit* I found a workaround and it seems to have fixed the problem.

Link to comment
Share on other sites

  • 3 months later...
*Edit* I found a workaround and it seems to have fixed the problem.

 

Would you mind posting that? I noticed if cards are run through Authorize.net I get the errors on those orders, but not the rest. Thanks.

Link to comment
Share on other sites

  • 5 months later...
*Edit* I found a workaround and it seems to have fixed the problem.

 

 

Would you mind posting that? I noticed if cards are run through Authorize.net I get the errors on those orders, but not the rest. Thanks.

 

 

Can someone enlighten us about how to fix the problem above? I'm also getting:

 

Warning: mdecrypt_generic() [function.mdecrypt-generic]: An empty string was passed in /xxxx/functions/cc_crypt.php on line 36
Link to comment
Share on other sites

  • 2 weeks later...

Can no one help with the problem?:

 

Warning: mdecrypt_generic() [function.mdecrypt-generic]: An empty string was passed in /home/[account_name]/public_html/801/store/admin/includes/functions/cc_crypt.php on line 36

 

Must be related to Simple Template System? Is there another credit encrypt solution?

Link to comment
Share on other sites

  • 1 year later...

I've just installed this, but when I examine the orders, <&?’yg*$ÛVÂ|x is what appears in place of the credit card number. Is this the correct behavior? I thought it was supposed to decrypt it to view.

Link to comment
Share on other sites

I've just installed this, but when I examine the orders, <&?’yg*$ÛVÂ|x is what appears in place of the credit card number. Is this the correct behavior? I thought it was supposed to decrypt it to view.

 

Looks like in /includes/configure.php hadn't been uploaded. The strange encoding is gone now.

Link to comment
Share on other sites

If your site processes or stores CC info you'd better be PCI Compliant ( <= it's a link, click it to read more).

 

If you violate the PCI mandates and are caught fines can run in the hundreds of thousands of dollars and you can be banned from getting a merchant account for life...

:o

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • 1 year later...

I'm having the same problem, the cc number isn't decrypting, but now that I know what file to look at... well seems I must investigate :blush:

 

 

Anyone figure this out yet? Having Same problem with osc2.2rc2a with STS mod.

Link to comment
Share on other sites

Mike,

 

 

There is nothing really to figure out. An encrypted credit card number is still a credit card number, unless you are PCI DSS Compliant, you can not accept or store the information. Depending on your business, compliance can cost anywhere from $3000 - $20,000. This is the reason that most online stores utilize 3rd party processors.

 

 

 

 

Chris

Link to comment
Share on other sites

  • 3 months later...

Hi everyone, I just installed this, the encrypting is working perfectly and the only thing that is not working is the decrypting in the admin. I can place fake orders then check the DB for the encrypted card and i will get:

7k814py3s+kPWFcL9+QErkKSMyipftVhdrBqbZAhJJw=

 

Which is exactly what I believe I should get, now I need to decrypt it in the admin, when I add :

 

$cc_number_decrypt = cc_decrypt(base64_decode($order['cc_number']), CCKEY);

 

and changed the necessary 'cc_number' => $cc_number_decrypt, so that it "should" work but its just showing up blank.

 

Anyone know why? any help would be much appreciated.

 

Thanks :)

 

Steve

Link to comment
Share on other sites

Hi Chris, thanks for your reply, I have informed my client about this they have told me that if needed then we will go pci compliant but more importantly what we are actually planning on doing is encrypting half the card and emailing the middle section to further protect against any portion of the card being compromised. I have already told them storing the information is not only useless and not compliant however they can do things as they wish, as it stands its not encrypted and I as a person need to do whatever can be done to at least try to eliminate any fraud possibility. This seems like a good first step.

 

Thanks Again

 

Steve

Link to comment
Share on other sites

Steve,

 

PCI DSS compliance is required BEFORE you/ your client begins to accept credit card information on the website. As the website creator YOU can be held legally responsible for setting up a site that is not PCI DSS compliant which could be fines and/or criminal charges. To protect YOURSELF and your client, don't set it up without PCI DSS compliance.

 

 

 

Chris

Link to comment
Share on other sites

Hi Again Chris,

 

I should mention I was NOT involved with this prior to this, I have just been hired and that is why I am informing them of all of these things. Had I been the original creator I would have advised and not even made it possible to store complete numbers. What they are requesting is for me to make it better, I have informed them about the necessary compliance and have told them it is mandatory, if they want to store card numbers.

 

However now i'm curious does anyone know how to actually decrypt the information?

 

Even though I will not be using it for this application it will certainly come in handy for another one I have in mind.

 

Also Chris in making a website PCI compliant so that it CAN store card numbers i am assuming they should be encrypted regardless is it wrong of me to think that?

 

Thanks again

 

Steve

Link to comment
Share on other sites

PCI compliance is mandatory for any shop where a customer enters cc info on the site where its stored or not.

 

If its just transmitted and not stored the PCI compliance part is fairly easy to get done and does not necessarily have to be very expensive eighter. (Like when using a payment gateway for the cc processing like, Authorize.net, PayPal Pro and so on)

 

If the cc info is stored the the PCI compliance gets quite a bit more complicated and expensive to complete. (and yes the cc have to be encrypted)

 

PCI compliance for storing CC is not just about the website and encryption but also about hardware, location, security, access logs, firewalls, physically access to servers, physical access logging and physical security measures and much more.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...