Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Need to add the CVV2 from customer's credit card


So_Not_an_HTML_genius

Recommended Posts

Hi,

 

I am just a bit lost. I am learning oscommerce but am really a newbie at this. I have installed the oscommerce on my site and have been using it successfully for three months now.

 

We have our own merchant account so all I do is have customers put in credit card numbers, I do not have nor want a gateway.

 

Anyway, our merchant services are upgrading and I need to start requesting customers to input their CVV2 numbers from the signature line of their credit card. I do not know how to do this.

 

I am running the oscommerce 2.2 MS2 php version 4.4.1

 

I truly don't know where to add modules. I did see a page here on the oscommerce site for Payment modules but have no clue where to add them. Any help would be great.

 

Thank you,

Kelly

Link to comment
Share on other sites

I must add a disclaimer and say I highly recommend not doing this. You are taking on a HUGE liability for not using a payment gateway. When you take credit card numbers without a payment gateway, you are saving them in your unsecured database on your insecure shared hosting server.

 

Nevertheless, here's what you want:

 

http://www.oscommerce.com/community/contributions,2954

 

Download the file and follow the install instructions.

Contributions

 

Discount Coupon Codes

Donations

Link to comment
Share on other sites

Hello again,

 

Thank you for the reply. By the Way kgt, maybe I am mixing terms here. I do have an SSL and am on a dedicated server...my store part that accepts credit card information is not on a shared host and the database is secure. Sorry if by saying I do not have a gateway that it sounded like it was not secured. The term for online automatic processing of credit cards through a verified company where you never get the credit card information is the part of the 'gateway' that I am talking about.

 

We process all the credit cards ourselves on our own merchant verifone and have done so for 14 years. I would never take chances nor would our merchant services allow us an account if we did not have an SSL.

 

The only reason why I am asking all these questions regarding the oscommerce is because we were a Qstore user for 14 years until no host companies would carry that software anymore because it was a bear to run. It needed to stay on a cobalt server, ran slower and needed a lot of space etc. to run. But, anytime you moved the darn thing, the owner of the software expected you to purchase an additional license for it to run on another server, he refused to grant our company a license to own it and move it where ever we wanted. I hung on as long as I could as our store has a ton of products and the idea of learning something new really horrified me. But that is why I like the oscommerce. I can bring it to almost any server and with groups like this, I am learning how to use it better and better.

 

Thanks again for the info.

Kelly

Link to comment
Share on other sites

Hi Kelly,

 

I am brand new to OSCommerce having signed up tonight. I read your posting on December 15. You mentioned not choosing to use a gateway. How do you avoid having a gateway? Does the customer need to call you with their credit card number? If so, aren't people afraid to give their credit card numbers over the phone? How can you check if the credit card number is good?

 

Thanks for your help.

 

Mara

 

 

Hi,

 

I am just a bit lost. I am learning oscommerce but am really a newbie at this. I have installed the oscommerce on my site and have been using it successfully for three months now.

 

We have our own merchant account so all I do is have customers put in credit card numbers, I do not have nor want a gateway.

 

Anyway, our merchant services are upgrading and I need to start requesting customers to input their CVV2 numbers from the signature line of their credit card. I do not know how to do this.

 

I am running the oscommerce 2.2 MS2 php version 4.4.1

 

I truly don't know where to add modules. I did see a page here on the oscommerce site for Payment modules but have no clue where to add them. Any help would be great.

 

Thank you,

Kelly

Link to comment
Share on other sites

Hi Kelly,

 

Forgive me. I wrote to you before I saw all the other postings. :o

 

 

 

Hello again,

 

Thank you for the reply. By the Way kgt, maybe I am mixing terms here. I do have an SSL and am on a dedicated server...my store part that accepts credit card information is not on a shared host and the database is secure. Sorry if by saying I do not have a gateway that it sounded like it was not secured. The term for online automatic processing of credit cards through a verified company where you never get the credit card information is the part of the 'gateway' that I am talking about.

 

We process all the credit cards ourselves on our own merchant verifone and have done so for 14 years. I would never take chances nor would our merchant services allow us an account if we did not have an SSL.

 

The only reason why I am asking all these questions regarding the oscommerce is because we were a Qstore user for 14 years until no host companies would carry that software anymore because it was a bear to run. It needed to stay on a cobalt server, ran slower and needed a lot of space etc. to run. But, anytime you moved the darn thing, the owner of the software expected you to purchase an additional license for it to run on another server, he refused to grant our company a license to own it and move it where ever we wanted. I hung on as long as I could as our store has a ton of products and the idea of learning something new really horrified me. But that is why I like the oscommerce. I can bring it to almost any server and with groups like this, I am learning how to use it better and better.

 

Thanks again for the info.

Kelly

Link to comment
Share on other sites

Hi, Gillian....

 

How does direct deposit work?

 

Thanks,

 

Mara

 

I also offer my customers the option of simply phoning me and I will input their number into my eftpos machine at the shop. i don't write their number down at all that way. although so far most people have opted for direct deposit, better for me too as I pay no fees on that!
Link to comment
Share on other sites

Hello again,

 

Thank you for the reply. By the Way kgt, maybe I am mixing terms here. I do have an SSL and am on a dedicated server...my store part that accepts credit card information is not on a shared host and the database is secure. Sorry if by saying I do not have a gateway that it sounded like it was not secured. The term for online automatic processing of credit cards through a verified company where you never get the credit card information is the part of the 'gateway' that I am talking about.

 

We process all the credit cards ourselves on our own merchant verifone and have done so for 14 years. I would never take chances nor would our merchant services allow us an account if we did not have an SSL.

 

The only reason why I am asking all these questions regarding the oscommerce is because we were a Qstore user for 14 years until no host companies would carry that software anymore because it was a bear to run. It needed to stay on a cobalt server, ran slower and needed a lot of space etc. to run. But, anytime you moved the darn thing, the owner of the software expected you to purchase an additional license for it to run on another server, he refused to grant our company a license to own it and move it where ever we wanted. I hung on as long as I could as our store has a ton of products and the idea of learning something new really horrified me. But that is why I like the oscommerce. I can bring it to almost any server and with groups like this, I am learning how to use it better and better.

 

Thanks again for the info.

Kelly

 

 

SSL has to do with transmission. What I am talking about is storage. While you have a dedicated server, I doubt your database is encrypted. The credit card numbers are stored in plain text. You have no way of protecting that data from your hosting service's employees, unless it's your server on your property. If your host makes backups (which they would do regularly) or you make backups, you have no way of protecting that data. In fact, backups made of mySQL databases are normally just plain text SQL dump files and require absolutely no authentication to read. I am talking about your liability, not your merchant service's.

 

http://usa.visa.com/download/business/acce...ty_Standard.pdf

Contributions

 

Discount Coupon Codes

Donations

Link to comment
Share on other sites

  • 2 weeks later...

Hello KGT,

 

Again, I thank you for your information and your continued updating of all users that accept credit cards to have the best security.

 

I do have a dedicated server at a host location but the difference is this, I control the oscommerce on my website, they do not. I have all the folders password protected from my end and my host does not have access what so ever to our folders or files. Basically the only thing they can do is delete and re-boot the server which would result in a serious penalty to the host but NO exposer of liability.

 

All CC info entered and submitted by a customer is encrypted on it's way up to the secure password protected folder. Then we access it through our encrypted password.

 

This proceedure has been certified to meet and exceed all Visa / Mastercard International standards for Merchant security encryption. We are reviewed monthly by our bank.

 

The only difference between a gateway processing plan and our direct inputing the cc data is that we handle the data input processing directly. In our view and our banks that is far more secure than going through a gateway that is operated by another firm or third party.

 

Thanks again.

 

SSL has to do with transmission. What I am talking about is storage. While you have a dedicated server, I doubt your database is encrypted. The credit card numbers are stored in plain text. You have no way of protecting that data from your hosting service's employees, unless it's your server on your property. If your host makes backups (which they would do regularly) or you make backups, you have no way of protecting that data. In fact, backups made of mySQL databases are normally just plain text SQL dump files and require absolutely no authentication to read. I am talking about your liability, not your merchant service's.

 

http://usa.visa.com/download/business/acce...ty_Standard.pdf

Link to comment
Share on other sites

I too would like to be able to receive the CVV number. There should be a way to incorporate it in the split CC number for the CC module. My database does not store the middle 8 digits, the come in a separate email. That is where I would like to receive the CVV; the extra order info email. I know there are contributions to collect the CVV number, but I have not seen any to mask that number in the database.

Jim

Link to comment
Share on other sites

Hi Kelly,

 

I am brand new to OSCommerce having signed up tonight. I read your posting on December 15. You mentioned not choosing to use a gateway. How do you avoid having a gateway? Does the customer need to call you with their credit card number? If so, aren't people afraid to give their credit card numbers over the phone? How can you check if the credit card number is good?

 

Thanks for your help.

 

Mara

Hi Mara:

You can avoid the gateway problem by installing the CC option in the Payments Module and then setting up for split Credit Card under that module. This puts part of the CC number in the order you see and emails you the middle digits.

 

Hope this helps.

Jim

Shoppe in the Forest :)

Link to comment
Share on other sites

Hello KGT,

 

Again, I thank you for your information and your continued updating of all users that accept credit cards to have the best security.

 

I do have a dedicated server at a host location but the difference is this, I control the oscommerce on my website, they do not. I have all the folders password protected from my end and my host does not have access what so ever to our folders or files. Basically the only thing they can do is delete and re-boot the server which would result in a serious penalty to the host but NO exposer of liability.

 

All CC info entered and submitted by a customer is encrypted on it's way up to the secure password protected folder. Then we access it through our encrypted password.

 

This proceedure has been certified to meet and exceed all Visa / Mastercard International standards for Merchant security encryption. We are reviewed monthly by our bank.

 

The only difference between a gateway processing plan and our direct inputing the cc data is that we handle the data input processing directly. In our view and our banks that is far more secure than going through a gateway that is operated by another firm or third party.

 

Thanks again.

 

This is great to read! I see too many people forgetting or not realizing the effort needed to protect cc information. I hope you will use your experience to help others here understand what's required before they can "safely" save this information.

Contributions

 

Discount Coupon Codes

Donations

Link to comment
Share on other sites

This is great to read! I see too many people forgetting or not realizing the effort needed to protect cc information. I hope you will use your experience to help others here understand what's required before they can "safely" save this information.

 

 

I had this issue over the past few weeks. I finally decided to take a few contribs and combine them and have created on my site a CCV addition to the basic CC module so that the CCV number is send thru the extra order emails. However, e-mail is super insecure, so I used a PGP module and encrypt the body of the extra order email with 1024 key and use WinPG on my windows PCs to decrypt the extra order emails.

 

Right now I'm hoping to get a plugin or something, for exchange server, so that when a email comes in on a particular account the exchange server in house, will decrypt the message and print it on a printer near our shipping desk, then delete the email.

 

Anyhow, just some thoughts, I will try and get my additions into a contrib once I'm done. I'm currently trying to add the CVV info contrib to give the flash info etc...about where to find the code on the cards.

 

Just thought I'd give some ideas how to secure CC #'s. storing CC's in a shared server or even hosted server at a Co-lo is just a bad idea. But thats just my two cents. Also, if you store them, at least encrypt them so if someone steals the database they also will have to steal the php to figure out how to decrypt.

 

My two cents ;)

Link to comment
Share on other sites

Hi there,

 

I am currently using the 'Credit Card with CVV2' contribution and all is working ... except on the order screen I can not see the CVV2 number displayed.

 

I have the following code on the orders page so it will display

 

echo $order->info['cc_cvv2'];

 

But nothing is showing.

 

I have checked the SQL and the CVV2 number for the test order has been stored

 

Can anyone advise me on this

 

Paul

Link to comment
Share on other sites

  • 4 weeks later...
Hi there,

 

I am currently using the 'Credit Card with CVV2' contribution and all is working ... except on the order screen I can not see the CVV2 number displayed.

 

I have the following code on the orders page so it will display

 

echo $order->info['cc_cvv2'];

 

But nothing is showing.

 

I have checked the SQL and the CVV2 number for the test order has been stored

 

Can anyone advise me on this

 

Paul

 

Having the same problem here, is it to do with globals being off??

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...