Jump to content

Archived

This topic is now archived and is closed to further replies.

nfrobertson

Encrypting Credit Card Number (cc_number) in OSC

Recommended Posts

Annie,

 

I will preface this post with the fact that I don't have Order Editor loaded so I can't be of specific help.

 

The way this cc encrypt contrib is written (see code in step 4) it supports the cc_number being in one of three states in the database: 1) encrypted 2) blank/empty/null (i.e. nothing in it) 3) "zapped" (i.e. xxxxxxxxxxxx1234)

 

If you have real credit card numbers in there that won't work. You could delete them all like cooch suggested or you could load the card zapper contrib and zap them all.

 

An intrepid coder could write a script to convert all existing credit card numbers to encrypted form. I don't have time to do that right now but maybe in the future...

 

Sorry - I was thinking that Cooch may have been using Order Editor. I wasn't sure if my errors had to do with that installation or not.

 

I'm just setting up a clean modified version of OSC in a testing area of my server - no playing with my production server.

 

I removed the cc# in my "yeah, it's working" fake order & I stopped getting the error code on the admin side. Thanks for that tip. Now to find out why checkout process isn't liking me on a new fake order that I'm creating. :)

 

Thanks for the help. I'm always grateful for folks who share these mods since my coding knowledge is extremely limited. :thumbsup:

 

Annie


It's not a learning curve, it's a cliff!

Share this post


Link to post
Share on other sites

:D Score!

I should never try to install a mod when I am tired! I accidently replaced the wrong line in order_process.php.

 

I accidently replaced 'cc_type' => $order->info['cc_type'],

instead of 'cc_number' => $order->info['cc_number'],

 

That was the cause of my error message.

 

Problem existed between keyboard and chair. :blush:

 

Annie


It's not a learning curve, it's a cliff!

Share this post


Link to post
Share on other sites

Is there anyone who could possibly help me use the Card Zapper contribution to ZAP all old cc numbers from my orders without having to enter the order id's one at a time? OR, should I just use phpMyAdmin and empty out the cc numbers column?

Share this post


Link to post
Share on other sites
Is there anyone who could possibly help me use the Card Zapper contribution to ZAP all old cc numbers from my orders without having to enter the order id's one at a time? OR, should I just use phpMyAdmin and empty out the cc numbers column?

Have you thought about trying this?

 

http://www.oscommerce.com/community/contributions,2777

Share this post


Link to post
Share on other sites

:'( So, I installed this easy contribution and ran it, and it did the job simply enough. But it seems this was written as a once off solution, as it does not in any way flag CC numbers which have already been cleaned. So that the next time it tries to do the job, it goes through all the orders again. Even through it is quite quick.

Share this post


Link to post
Share on other sites
:'( So, I installed this easy contribution and ran it, and it did the job simply enough. But it seems this was written as a once off solution, as it does not in any way flag CC numbers which have already been cleaned. So that the next time it tries to do the job, it goes through all the orders again. Even through it is quite quick.

In clean_cc_numbers.php change this:

$orders_query = tep_db_query("select orders_id,cc_number,orders_status from " . TABLE_ORDERS . " where orders_status != ".PENDING_STATUS_ID." AND payment_method = 'cc'");

 

to this:

 

$orders_query = tep_db_query("select orders_id,cc_number,orders_status from " . TABLE_ORDERS . " where orders_status != ".PENDING_STATUS_ID." AND payment_method != '' AND cc_number not like 'xxxx%'");

Share this post


Link to post
Share on other sites
In clean_cc_numbers.php change this:

$orders_query = tep_db_query("select orders_id,cc_number,orders_status from " . TABLE_ORDERS . " where orders_status != ".PENDING_STATUS_ID." AND payment_method = 'cc'");

 

to this:

 

$orders_query = tep_db_query("select orders_id,cc_number,orders_status from " . TABLE_ORDERS . " where orders_status != ".PENDING_STATUS_ID." AND payment_method != '' AND cc_number not like 'xxxx%'");

 

 

OK, thanks a lot, I will try that!! <_<

Share this post


Link to post
Share on other sites
OK, thanks a lot, I will try that!! <_<

Hi guys...

I've read through this thread with interest and want to clarify a few things...

I'm developing an online store that will process credit cards manually (store also has a brick and mortar presence). I want the cedit card details to be as secure as possible.

 

At the moment, I have it set up so that the middle digits are emailed to me. I've looked at the database and the credit card numbers are being stored as 4111XXXXXXXX1111. So what I'm confused about is - what is this thread suggesting? Isn't that what oscommerce does automatically?

 

Sorry if I'm completely missing the point, but would love for someone to clear it up for me :)

 

~bobsi18~

Share this post


Link to post
Share on other sites
Hi guys...

I've read through this thread with interest and want to clarify a few things...

I'm developing an online store that will process credit cards manually (store also has a brick and mortar presence). I want the cedit card details to be as secure as possible.

 

At the moment, I have it set up so that the middle digits are emailed to me. I've looked at the database and the credit card numbers are being stored as 4111XXXXXXXX1111. So what I'm confused about is - what is this thread suggesting? Isn't that what oscommerce does automatically?

 

Sorry if I'm completely missing the point, but would love for someone to clear it up for me :)

 

~bobsi18~

 

Out of the box, oscommerce stores the credit cards in the database (orders table cc_number field) in plain text. There is no security whatsoever. There are contributions that split and email part of the credit card number like you have mentioned. I decided to take a different approach and encrypt the cc_number field until I had processed the order. Then I use the Card Zapper contrib to render the cc_number in the database useless (i.e. xxxxxxxx1234) Just a different way to handle the problem of credit card numbers in the database.

Share this post


Link to post
Share on other sites

First, thank you for the contrib, using it and it's great. I just wanted to add something to it for those who have Zapped here is something you can add to the zapt.php file so that when you zap the CC number it returns xxxxxxxxxxxx1234 like it's suppose to instead of xxxxxxxxxxxx like it does now if you don't do on top of what the instructions say. Note: This is ONLY if you have this contrib and the Zapped Credit Card Contrib

 

Open catalog/admin/zapt.php

 

Now the instructions that come with Encrypting Credit Card Number (cc_number) osc do have the first step but I will repeat just to make sure.

 

Find

<?php include('zapfunctions.php'); ?>

 

Replace With

<?php

include('zapfunctions.php');

require(DIR_WS_FUNCTIONS . 'cc_crypt.php');

?>

 

Find

$row = mysql_fetch_assoc($result);

 

Add Right After

$cc_number_decrypt = cc_decrypt(base64_decode($row['cc_number']), CCKEY);

 

That's it :) Not sure if anyone cares but figured I would add it as it could be usefull to others.

Share this post


Link to post
Share on other sites
First, thank you for the contrib, using it and it's great. I just wanted to add something to it for those who have Zapped here is something you can add to the zapt.php file so that when you zap the CC number it returns xxxxxxxxxxxx1234 like it's suppose to instead of xxxxxxxxxxxx like it does now if you don't do on top of what the instructions say. Note: This is ONLY if you have this contrib and the Zapped Credit Card Contrib

 

Open catalog/admin/zapt.php

 

Now the instructions that come with Encrypting Credit Card Number (cc_number) osc do have the first step but I will repeat just to make sure.

 

Find

<?php include('zapfunctions.php'); ?>

 

Replace With

<?php

include('zapfunctions.php');

require(DIR_WS_FUNCTIONS . 'cc_crypt.php');

?>

 

Find

$row = mysql_fetch_assoc($result);

 

Add Right After

$cc_number_decrypt = cc_decrypt(base64_decode($row['cc_number']), CCKEY);

 

That's it :) Not sure if anyone cares but figured I would add it as it could be usefull to others.

 

 

I care! I just installed this encryption contribution and it seems to be working great! Many thanks for all the hard work that went into it. I have also installed the Card Zapper contribution and just wanted to add to the post above about how to get both of them working together so all but the last 4 digits are Xed out. Here's the mod I had to make to zapt.php to get it working right for me... Hope someone else can benefit by this as I have all of the comments in this forum.

 

 

// Zap all but last 4 digits of credit card number

//

$sql="SELECT `cc_number` FROM orders WHERE `orders_id`=('$order');";

$result=mysql_query($sql);

if (! $result) {

die ("Unable to select cc_number [$sql]");

} else {

$row = mysql_fetch_assoc($result);

$cc_number_decrypt = cc_decrypt(base64_decode($row['cc_number']), CCKEY);

// $ccnum = $row['cc_number'];

$newnum = substr($cc_number_decrypt, -4,4); // This was $newnum = substr($ccnum, -4, $ccnum);

$newnum = "xxxxxxxxxxxx" . $newnum;

 

$sql="UPDATE `orders` SET `cc_number`='$newnum' WHERE `orders_id`=('$order');";

$result=mysql_query($sql);

if (!$result) die ("Unable to zap card [$sql]");

}

 

?>

Share this post


Link to post
Share on other sites

Hmm, I have my contrib here integrated with the Card Zapper but apparently I never added the specifics to the install instructions? :blush: Here's what I did to integrate the two:

 

FILE: admin/zapt.php

 

Find at line 1

<?php include('zapfunctions.php'); ?>

 

Add after it:

<?php require(DIR_WS_FUNCTIONS . 'cc_crypt.php'); ?>
<?php require(DIR_WS_FUNCTIONS . 'general.php'); ?>

 

Find at line 73

  $row	= mysql_fetch_assoc($result);
 $ccnum  = $row['cc_number'];
 $newnum = substr($ccnum, -4, $ccnum);
 $newnum = "xxxxxxxxxxxx" . $newnum;

 

Replace with:

  $row   = mysql_fetch_assoc($result);
 $ccnum = $row['cc_number'];
 $newnum = "";
 if(tep_not_null($ccnum)) {
if(!strncmp("xxxxxxxxxxxx", $ccnum, 12)) {
	$newnum = $ccnum; // already zapped, keep as is
} 
else {
	$ccnum = cc_decrypt(base64_decode($ccnum), CCKEY);
	$newnum = substr($ccnum, -4, $ccnum);
	  $newnum = "xxxxxxxxxxxx" . $newnum;
}
 }

 

This last bit is what makes it work and is similar to the edit in order.php (step 4 and/or 5)

 

Hope this helps.

Share this post


Link to post
Share on other sites
Hmm, I have my contrib here integrated with the Card Zapper but apparently I never added the specifics to the install instructions? :blush: Here's what I did to integrate the two:

 

FILE: admin/zapt.php

 

Find at line 1

<?php include('zapfunctions.php'); ?>

 

Add after it:

<?php require(DIR_WS_FUNCTIONS . 'cc_crypt.php'); ?>
<?php require(DIR_WS_FUNCTIONS . 'general.php'); ?>

 

Find at line 73

  $row	= mysql_fetch_assoc($result);
 $ccnum  = $row['cc_number'];
 $newnum = substr($ccnum, -4, $ccnum);
 $newnum = "xxxxxxxxxxxx" . $newnum;

 

Replace with:

  $row   = mysql_fetch_assoc($result);
 $ccnum = $row['cc_number'];
 $newnum = "";
 if(tep_not_null($ccnum)) {
if(!strncmp("xxxxxxxxxxxx", $ccnum, 12)) {
	$newnum = $ccnum; // already zapped, keep as is
} 
else {
	$ccnum = cc_decrypt(base64_decode($ccnum), CCKEY);
	$newnum = substr($ccnum, -4, $ccnum);
	  $newnum = "xxxxxxxxxxxx" . $newnum;
}
 }

 

This last bit is what makes it work and is similar to the edit in order.php (step 4 and/or 5)

 

Hope this helps.

 

 

Thankyou! This did work fine - just not how I expected exactly. I was thinking the zapped number would be encrypted in the database so even the last 4 digits of a cc would not be in plain text. My bad... :rolleyes:

Share this post


Link to post
Share on other sites

For those of you who have stored cc data and want to wipe out the numbers for all orders of a given status (ie. Pending, Shipped, Etc.) Just enter the following sql statement into phpmyadmin or shell.

 

UPDATE orders set cc_number = '' where orders_status = '3' AND payment_method = 'Credit Card';

 

MAKE SURE TO CHECK WHAT STATUS YOU HAVE IN YOUR ORDERS_STATUS TABLE TO MAKE SURE YOU ARE WIPING THE CORRECT STATUS. NOTE: THIS WILL WIPE ALL INFO FROM THE CC_NUMBER FIELD OF THAT STATUS.

 

Hope this helps someone.

Share this post


Link to post
Share on other sites

Hi. I just installed this contribution on my osc demo site, and I'm getting this error on all orders, including those processed after it was installed: Warning: mcrypt_generic_init(): Iv size incorrect; supplied length: 11, needed: 32 in /public_html/demo/admin/includes/functions/cc_crypt.php on line 33. I deleted all my old orders, because someone suggested that might be the problem, and that didn't do anything. Looking in the database, the credit card number is not encrypted. Does anyone know what I might have done wrong?


Always BACK UP your files and your database before making any changes. Before asking questions, check out the Knowledge Base. Check out the contributions to see if your problem's solved there. Search the forums.

 

Useful threads: Store Speed Optimization How to make a horrible shop Basics for design change How to search the forums

 

Useful contributions: Easypopulate Fast, Easy Checkout Header Tag Controller

Share this post


Link to post
Share on other sites

Never mind. I am an idiot and have 4 versions of my site, and installed it on the wrong version of the site.


Always BACK UP your files and your database before making any changes. Before asking questions, check out the Knowledge Base. Check out the contributions to see if your problem's solved there. Search the forums.

 

Useful threads: Store Speed Optimization How to make a horrible shop Basics for design change How to search the forums

 

Useful contributions: Easypopulate Fast, Easy Checkout Header Tag Controller

Share this post


Link to post
Share on other sites

Okay. So. Now it isn't decrypting the cc number in the admin. I tried removing the if statement to stop it from decrypting if the cc number was gone, so that the code was:

$cc_number_decrypt = $order['cc_number'];
$cc_number_decrypt = cc_decrypt(base64_decode($order['cc_number']), CCKEY);

in admin/includes/classes/order.php, but that didn't work. And I made absolutely certain to copy it into all my admin sections. So. Does anyone have any idea what I did wrong?


Always BACK UP your files and your database before making any changes. Before asking questions, check out the Knowledge Base. Check out the contributions to see if your problem's solved there. Search the forums.

 

Useful threads: Store Speed Optimization How to make a horrible shop Basics for design change How to search the forums

 

Useful contributions: Easypopulate Fast, Easy Checkout Header Tag Controller

Share this post


Link to post
Share on other sites
Okay. So. Now it isn't decrypting the cc number in the admin. I tried removing the if statement to stop it from decrypting if the cc number was gone, so that the code was:

$cc_number_decrypt = $order['cc_number'];
$cc_number_decrypt = cc_decrypt(base64_decode($order['cc_number']), CCKEY);

in admin/includes/classes/order.php, but that didn't work. And I made absolutely certain to copy it into all my admin sections. So. Does anyone have any idea what I did wrong?

 

I'm having the same problem, the cc number isn't decrypting, but now that I know what file to look at... well seems I must investigate :blush:


I'm kinda new to OsC, but I'm picking up quickly.

Share this post


Link to post
Share on other sites

Any experts out there that can give me a suggestion? I'm having some trouble with this contribution for encrypting credit cards prior to storing them in the database. Everything seems to work fine except for the actual storing. For some reason, the database value is not the same as what is being echo'd via PHP. If I perform the algorithm and mysql insert somewhere other than checkout_process.php, then it works fine.

 

For example, I've done a cut/paste of the code from checkout_process.php to zapt.php and run the credit card zapper. In this case, the mysql value is correct. However, that exact same code when put in checkout_process.php doesn't store properly. I'm at a loss for what's wrong, can anyone help?

Share this post


Link to post
Share on other sites

Hello,

 

I have installed this now I am getting an error on the orders.php page

 

Parse error: parse error, unexpected T_VARIABLE, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in /homepages/19/d91395514/htdocs/demo/catalog/includes/classes/order.php on line 30

 

Any sugestions?

 

Jason

Share this post


Link to post
Share on other sites

Hey all... Got this working great aside ffrom one error...

 

When you go to check your order as a customer, I get a blank page.. the Error in the logs is..

 

PHP Fatal error: Call to undefined function: cc_decrypt() in ...../store2/includes/classes/order.php on line 43

 

That line of code is...

 

38	  // See if we need to decrypt - if it's already been zapped or deleted then no decrypt
39 
40   $cc_number_decrypt = $order['cc_number'];
41   if(tep_not_null($cc_number_decrypt)) {
42	 if(strncmp("xxxxxxxxxxxx", $cc_number_decrypt, 12)) {
43		$cc_number_decrypt = cc_decrypt(base64_decode($order['cc_number']), CCKEY);
44	   }
45	  }
46	   else {
47	   $cc_number_decrypt = '';
48	}

 

Any ideas? Every other page works fine. It is encrypting in the database & decrypting in Admin with no problems.

 

Thanks guys!

 

Jim

:-"

Share this post


Link to post
Share on other sites
Hey all... Got this working great aside ffrom one error...

 

When you go to check your order as a customer, I get a blank page.. the Error in the logs is..

 

PHP Fatal error: Call to undefined function: cc_decrypt() in ...../store2/includes/classes/order.php on line 43

 

That line of code is...

 

38	  // See if we need to decrypt - if it's already been zapped or deleted then no decrypt
39 
40   $cc_number_decrypt = $order['cc_number'];
41   if(tep_not_null($cc_number_decrypt)) {
42	 if(strncmp("xxxxxxxxxxxx", $cc_number_decrypt, 12)) {
43		$cc_number_decrypt = cc_decrypt(base64_decode($order['cc_number']), CCKEY);
44	   }
45	  }
46	   else {
47	   $cc_number_decrypt = '';
48	}

 

Any ideas? Every other page works fine. It is encrypting in the database & decrypting in Admin with no problems.

 

Thanks guys!

 

Jim

:-"

 

 

 

You know, I just commented out that entire block of code, and that solved my issue. I don't think I really care if the customer doesn't see the CC# on the order history page... if it ever becomes an issue, I'll address it then.

 

Thanks Anyway!

 

J

Share this post


Link to post
Share on other sites

I'm considering installing this contribution as I will be changing CC modules and the one I'm moving to stores the CC#. I have some questions first. 1. Does this contribution allow you to have the CC# encrypted in the DB but allow you on the admin side to decrypt the CC#? 2. The installation notes don't mention much about installing on a modified system. Any tips from those who have installed this successfully?

 

Thanks in advance!

Share this post


Link to post
Share on other sites

if you guys want to be compliant with VISA, Mastercard, and american express, you can't store credit card numbers (even encrypted) without being PCI compliant (which is a huge pain in the ass):

 

http://www.pcicomplianceguide.org/

 

If you do get caught storing numbers without getting compliant, you can get banned from accepting credit cards from the major providers.

 

Legally, it's better to no store the numbers and get all of the info from your merchant provider.

Share this post


Link to post
Share on other sites

×