So_Not_an_HTML_genius Posted December 15, 2006 Share Posted December 15, 2006 Hi, I am just a bit lost. I am learning oscommerce but am really a newbie at this. I have installed the oscommerce on my site and have been using it successfully for three months now. We have our own merchant account so all I do is have customers put in credit card numbers, I do not have nor want a gateway. Anyway, our merchant services are upgrading and I need to start requesting customers to input their CVV2 numbers from the signature line of their credit card. I do not know how to do this. I am running the oscommerce 2.2 MS2 php version 4.4.1 I truly don't know where to add modules. I did see a page here on the oscommerce site for Payment modules but have no clue where to add them. Any help would be great. Thank you, Kelly Quote Link to comment Share on other sites More sharing options...
kgt Posted December 15, 2006 Share Posted December 15, 2006 I must add a disclaimer and say I highly recommend not doing this. You are taking on a HUGE liability for not using a payment gateway. When you take credit card numbers without a payment gateway, you are saving them in your unsecured database on your insecure shared hosting server. Nevertheless, here's what you want: http://www.oscommerce.com/community/contributions,2954 Download the file and follow the install instructions. Quote Contributions Discount Coupon Codes Donations Link to comment Share on other sites More sharing options...
my scrap shop G Posted December 15, 2006 Share Posted December 15, 2006 I also offer my customers the option of simply phoning me and I will input their number into my eftpos machine at the shop. i don't write their number down at all that way. although so far most people have opted for direct deposit, better for me too as I pay no fees on that! Quote Link to comment Share on other sites More sharing options...
So_Not_an_HTML_genius Posted December 16, 2006 Author Share Posted December 16, 2006 Hello again, Thank you for the reply. By the Way kgt, maybe I am mixing terms here. I do have an SSL and am on a dedicated server...my store part that accepts credit card information is not on a shared host and the database is secure. Sorry if by saying I do not have a gateway that it sounded like it was not secured. The term for online automatic processing of credit cards through a verified company where you never get the credit card information is the part of the 'gateway' that I am talking about. We process all the credit cards ourselves on our own merchant verifone and have done so for 14 years. I would never take chances nor would our merchant services allow us an account if we did not have an SSL. The only reason why I am asking all these questions regarding the oscommerce is because we were a Qstore user for 14 years until no host companies would carry that software anymore because it was a bear to run. It needed to stay on a cobalt server, ran slower and needed a lot of space etc. to run. But, anytime you moved the darn thing, the owner of the software expected you to purchase an additional license for it to run on another server, he refused to grant our company a license to own it and move it where ever we wanted. I hung on as long as I could as our store has a ton of products and the idea of learning something new really horrified me. But that is why I like the oscommerce. I can bring it to almost any server and with groups like this, I am learning how to use it better and better. Thanks again for the info. Kelly Quote Link to comment Share on other sites More sharing options...
8paws Posted December 17, 2006 Share Posted December 17, 2006 Hi Kelly, I am brand new to OSCommerce having signed up tonight. I read your posting on December 15. You mentioned not choosing to use a gateway. How do you avoid having a gateway? Does the customer need to call you with their credit card number? If so, aren't people afraid to give their credit card numbers over the phone? How can you check if the credit card number is good? Thanks for your help. Mara Hi, I am just a bit lost. I am learning oscommerce but am really a newbie at this. I have installed the oscommerce on my site and have been using it successfully for three months now. We have our own merchant account so all I do is have customers put in credit card numbers, I do not have nor want a gateway. Anyway, our merchant services are upgrading and I need to start requesting customers to input their CVV2 numbers from the signature line of their credit card. I do not know how to do this. I am running the oscommerce 2.2 MS2 php version 4.4.1 I truly don't know where to add modules. I did see a page here on the oscommerce site for Payment modules but have no clue where to add them. Any help would be great. Thank you, Kelly Quote Link to comment Share on other sites More sharing options...
8paws Posted December 17, 2006 Share Posted December 17, 2006 Hi Kelly, Forgive me. I wrote to you before I saw all the other postings. :o Hello again, Thank you for the reply. By the Way kgt, maybe I am mixing terms here. I do have an SSL and am on a dedicated server...my store part that accepts credit card information is not on a shared host and the database is secure. Sorry if by saying I do not have a gateway that it sounded like it was not secured. The term for online automatic processing of credit cards through a verified company where you never get the credit card information is the part of the 'gateway' that I am talking about. We process all the credit cards ourselves on our own merchant verifone and have done so for 14 years. I would never take chances nor would our merchant services allow us an account if we did not have an SSL. The only reason why I am asking all these questions regarding the oscommerce is because we were a Qstore user for 14 years until no host companies would carry that software anymore because it was a bear to run. It needed to stay on a cobalt server, ran slower and needed a lot of space etc. to run. But, anytime you moved the darn thing, the owner of the software expected you to purchase an additional license for it to run on another server, he refused to grant our company a license to own it and move it where ever we wanted. I hung on as long as I could as our store has a ton of products and the idea of learning something new really horrified me. But that is why I like the oscommerce. I can bring it to almost any server and with groups like this, I am learning how to use it better and better. Thanks again for the info. Kelly Quote Link to comment Share on other sites More sharing options...
8paws Posted December 17, 2006 Share Posted December 17, 2006 Hi, Gillian.... How does direct deposit work? Thanks, Mara I also offer my customers the option of simply phoning me and I will input their number into my eftpos machine at the shop. i don't write their number down at all that way. although so far most people have opted for direct deposit, better for me too as I pay no fees on that! Quote Link to comment Share on other sites More sharing options...
kgt Posted December 18, 2006 Share Posted December 18, 2006 Hello again, Thank you for the reply. By the Way kgt, maybe I am mixing terms here. I do have an SSL and am on a dedicated server...my store part that accepts credit card information is not on a shared host and the database is secure. Sorry if by saying I do not have a gateway that it sounded like it was not secured. The term for online automatic processing of credit cards through a verified company where you never get the credit card information is the part of the 'gateway' that I am talking about. We process all the credit cards ourselves on our own merchant verifone and have done so for 14 years. I would never take chances nor would our merchant services allow us an account if we did not have an SSL. The only reason why I am asking all these questions regarding the oscommerce is because we were a Qstore user for 14 years until no host companies would carry that software anymore because it was a bear to run. It needed to stay on a cobalt server, ran slower and needed a lot of space etc. to run. But, anytime you moved the darn thing, the owner of the software expected you to purchase an additional license for it to run on another server, he refused to grant our company a license to own it and move it where ever we wanted. I hung on as long as I could as our store has a ton of products and the idea of learning something new really horrified me. But that is why I like the oscommerce. I can bring it to almost any server and with groups like this, I am learning how to use it better and better. Thanks again for the info. Kelly SSL has to do with transmission. What I am talking about is storage. While you have a dedicated server, I doubt your database is encrypted. The credit card numbers are stored in plain text. You have no way of protecting that data from your hosting service's employees, unless it's your server on your property. If your host makes backups (which they would do regularly) or you make backups, you have no way of protecting that data. In fact, backups made of mySQL databases are normally just plain text SQL dump files and require absolutely no authentication to read. I am talking about your liability, not your merchant service's. http://usa.visa.com/download/business/acce...ty_Standard.pdf Quote Contributions Discount Coupon Codes Donations Link to comment Share on other sites More sharing options...
So_Not_an_HTML_genius Posted December 27, 2006 Author Share Posted December 27, 2006 Hello KGT, Again, I thank you for your information and your continued updating of all users that accept credit cards to have the best security. I do have a dedicated server at a host location but the difference is this, I control the oscommerce on my website, they do not. I have all the folders password protected from my end and my host does not have access what so ever to our folders or files. Basically the only thing they can do is delete and re-boot the server which would result in a serious penalty to the host but NO exposer of liability. All CC info entered and submitted by a customer is encrypted on it's way up to the secure password protected folder. Then we access it through our encrypted password. This proceedure has been certified to meet and exceed all Visa / Mastercard International standards for Merchant security encryption. We are reviewed monthly by our bank. The only difference between a gateway processing plan and our direct inputing the cc data is that we handle the data input processing directly. In our view and our banks that is far more secure than going through a gateway that is operated by another firm or third party. Thanks again. SSL has to do with transmission. What I am talking about is storage. While you have a dedicated server, I doubt your database is encrypted. The credit card numbers are stored in plain text. You have no way of protecting that data from your hosting service's employees, unless it's your server on your property. If your host makes backups (which they would do regularly) or you make backups, you have no way of protecting that data. In fact, backups made of mySQL databases are normally just plain text SQL dump files and require absolutely no authentication to read. I am talking about your liability, not your merchant service's. http://usa.visa.com/download/business/acce...ty_Standard.pdf Quote Link to comment Share on other sites More sharing options...
Forestshopkeeper Posted December 28, 2006 Share Posted December 28, 2006 I too would like to be able to receive the CVV number. There should be a way to incorporate it in the split CC number for the CC module. My database does not store the middle 8 digits, the come in a separate email. That is where I would like to receive the CVV; the extra order info email. I know there are contributions to collect the CVV number, but I have not seen any to mask that number in the database. Jim Quote Link to comment Share on other sites More sharing options...
Forestshopkeeper Posted December 31, 2006 Share Posted December 31, 2006 Hi Kelly, I am brand new to OSCommerce having signed up tonight. I read your posting on December 15. You mentioned not choosing to use a gateway. How do you avoid having a gateway? Does the customer need to call you with their credit card number? If so, aren't people afraid to give their credit card numbers over the phone? How can you check if the credit card number is good? Thanks for your help. Mara Hi Mara: You can avoid the gateway problem by installing the CC option in the Payments Module and then setting up for split Credit Card under that module. This puts part of the CC number in the order you see and emails you the middle digits. Hope this helps. Jim Shoppe in the Forest :) Quote Link to comment Share on other sites More sharing options...
kgt Posted January 2, 2007 Share Posted January 2, 2007 Hello KGT, Again, I thank you for your information and your continued updating of all users that accept credit cards to have the best security. I do have a dedicated server at a host location but the difference is this, I control the oscommerce on my website, they do not. I have all the folders password protected from my end and my host does not have access what so ever to our folders or files. Basically the only thing they can do is delete and re-boot the server which would result in a serious penalty to the host but NO exposer of liability. All CC info entered and submitted by a customer is encrypted on it's way up to the secure password protected folder. Then we access it through our encrypted password. This proceedure has been certified to meet and exceed all Visa / Mastercard International standards for Merchant security encryption. We are reviewed monthly by our bank. The only difference between a gateway processing plan and our direct inputing the cc data is that we handle the data input processing directly. In our view and our banks that is far more secure than going through a gateway that is operated by another firm or third party. Thanks again. This is great to read! I see too many people forgetting or not realizing the effort needed to protect cc information. I hope you will use your experience to help others here understand what's required before they can "safely" save this information. Quote Contributions Discount Coupon Codes Donations Link to comment Share on other sites More sharing options...
xpman Posted January 9, 2007 Share Posted January 9, 2007 This is great to read! I see too many people forgetting or not realizing the effort needed to protect cc information. I hope you will use your experience to help others here understand what's required before they can "safely" save this information. I had this issue over the past few weeks. I finally decided to take a few contribs and combine them and have created on my site a CCV addition to the basic CC module so that the CCV number is send thru the extra order emails. However, e-mail is super insecure, so I used a PGP module and encrypt the body of the extra order email with 1024 key and use WinPG on my windows PCs to decrypt the extra order emails. Right now I'm hoping to get a plugin or something, for exchange server, so that when a email comes in on a particular account the exchange server in house, will decrypt the message and print it on a printer near our shipping desk, then delete the email. Anyhow, just some thoughts, I will try and get my additions into a contrib once I'm done. I'm currently trying to add the CVV info contrib to give the flash info etc...about where to find the code on the cards. Just thought I'd give some ideas how to secure CC #'s. storing CC's in a shared server or even hosted server at a Co-lo is just a bad idea. But thats just my two cents. Also, if you store them, at least encrypt them so if someone steals the database they also will have to steal the php to figure out how to decrypt. My two cents ;) Quote Link to comment Share on other sites More sharing options...
hero2zero Posted January 9, 2007 Share Posted January 9, 2007 Hi there, I am currently using the 'Credit Card with CVV2' contribution and all is working ... except on the order screen I can not see the CVV2 number displayed. I have the following code on the orders page so it will display echo $order->info['cc_cvv2']; But nothing is showing. I have checked the SQL and the CVV2 number for the test order has been stored Can anyone advise me on this Paul Quote Link to comment Share on other sites More sharing options...
gerard Posted January 31, 2007 Share Posted January 31, 2007 Hi there, I am currently using the 'Credit Card with CVV2' contribution and all is working ... except on the order screen I can not see the CVV2 number displayed. I have the following code on the orders page so it will display echo $order->info['cc_cvv2']; But nothing is showing. I have checked the SQL and the CVV2 number for the test order has been stored Can anyone advise me on this Paul Having the same problem here, is it to do with globals being off?? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.