Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Credit Card with CVV2 Version v2.2RC2a


googlejunky

Recommended Posts

Hi guys,

 

Really need help with this asap. installed everything and doubled checked 10 times but after the checkout_payment.php page i press continue and get a completely blank, broken page no matter which payment method i choose. Any ideas?

 

thanks

Ashley

Link to comment
Share on other sites

Hi guys,

 

Really need help with this asap. installed everything and doubled checked 10 times but after the checkout_payment.php page i press continue and get a completely blank, broken page no matter which payment method i choose. Any ideas?

 

thanks

Ashley

 

Further to this i've worked out it's something to do with this part in checkout_confirmation:

 

 

require(DIR_WS_CLASSES . 'order_total.php');

$order_total_modules = new order_total;

$order_total_modules->process();

 

As when i take that out the page doesn't break although obviously there's no order totals on the page.

 

any help would be much appreciated as i was up until about 4 this morning trying to work it out and this is not how i want to spend my saturday.

Thanks

Ashley

Link to comment
Share on other sites

  • 1 month later...

in the admin orders i am only getting:

 

Credit Card Type: Visa

Credit Card Owner: test person

Credit Card Number: 4111XXXXXXXX1111

Credit Card Expires: 0111

 

no cvv number??

can some one please help or give some ideas why. i have checked all the code dont know where to look next?

 

Can anyone help? I have the same problem.

Link to comment
Share on other sites

  • 2 weeks later...

I can't seem to find any downloads for CCV that work at all. Even tried one where you have to put all the code in as instructed and it doesnt work either.. Anyone get it working???? id really like a copy of your files if you did get it working. I really need this to accept credit card orders..

PLEASE HELP

Link to comment
Share on other sites

You won't find probably 2-3 people here that use it still because of the new PCI requirements. Most use an off site processor. It is much easier.

Edited by mdtaylorlrim

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

  • 9 months later...

You COULD do that, but you would still need to be PCI DSS compliant to receive/store that information in the email client.

 

 

 

 

 

Chris

Link to comment
Share on other sites

  • 3 weeks later...

The official line from PCI is you do not need to do anything to protect the CVV in a temporary or permanent stored situation. In fact, in PCI DSS v 2.0 they mention protection for PIN and CVV as "N/A".

 

And why is this so you may ask ...

 

Because you will NEVER have the CVV or PIN in the fist place, therefore, protecting something you don't have in your possession is "N/A".

 

The CVV must NEVER NEVER NEVER be stored either temporarily of permanently, either encrypted or not, either broken up (truncated) or complete. In short, you can NOT capture the CVV in any way, shape or form under any circumstances. Period.

 

People are getting mixed up with the "live" online processing of credit cards i.e., the direct live communication between gateway and the merchant account for processing of credit cards instantly on the internet - this DOES REQUIRE the CVV to be entered.

 

But we are not talking about live online credit card processing. We are talking about capturing credit card details to enable the business owner to then charge the card via another means, perhaps offline or into their existing merchant account facility or into a terminal. It is important to understand the difference in order for you to follow what I am saying here. And there is a HUGE difference, one system transacts live online totally without you knowing, the other you control the charging and its cheaper.

 

If you have a merchant account that "requires" the CVV to be entered and won't let you charge the card without it, then it is not a merchant account approved to charge card not present credit card payments received. You not only risk the wrath of acting illegally under PCI but if your merchant account provider finds out then I would not like to be you.

 

Now, if your merchant account is approved to allow you to charge through it credit card payments received by card not present means - some term this as a MOTO enabled your merchant account - (mail order telephone order), then it can not possibly require the CVV to be entered. It may still ask for it but leave it blank and it will process the charge without it.

 

But lets say you have a MOTO enabled merchant account or a terminal, one that allows you to charge card not present payments received, and it still requires you to enter in the CVV, it won't let you charge the card without the CVV. Well, dump that merchant account provider because they are about to be taken out of business by the card vendors themselves.

 

Let me explain. For starters that would mean they are forcing you to act illegally under PCI. In otherwords, they are forcing you to somehow capture the CVV for you to have it in your possession in some way to have it to enter into your merchant account to charge the card. But this is 100% ILLEGAL under PCI - if you do that you are setting yourself up for fines and you could lose your right to processes Visa, Master Card and American Express Cards for good.

 

If this is you then I suggest ringing your merchant account provider up and ask them directly .. "How do you suggest I capture and temporarily store the CVV so I will have it to enter into your merchant account facility when I charge the card?" They will not be able to answer that because what their advice would be would have to be to you would be for you to act illegally. And if they did this and Visa or any of the other card vendors found out about it, they would be finished, big time.

 

If you are a developer and are setting something up for your client to manually capture the CVV, if and when they get caught they could simply put their hands in the air and say "its not our fault, our developer did this" so make sure you've got a huge amount of money in the bank to pay the fine!!!

 

My three osc's do things manually, I like being in total control of what I accept online and I process offline into my MOTO approved terminal. I use a proper manual payment gateway to handle credit cards online. I'm not going to mention them because I don't want to be seen as promoting them as I've mentioned them in almost all of my posts so far (I don't want to get into trouble with moderators).

 

My advice is simple, just make sure do things the rght way and make sure your merchant account provider is also doing things the right way. It's not that hard.

 

Cheers

Link to comment
Share on other sites

The only time CVV can be entered manually into a terminal is if the customer stands in-front of you with their card, showing you the cvv or giving you the card so that you can read it and enter it in directly into the terminal, or you are talking to them on the telephone and they tell you the CVV number and you input it directly into the terminal.

 

As the poster mentioned above it can not be stored, written down or otherwise "saved".

Link to comment
Share on other sites

The only time CVV can be entered manually into a terminal is if the customer stands in-front of you with their card, showing you the cvv or giving you the card so that you can read it and enter it in directly into the terminal, or you are talking to them on the telephone and they tell you the CVV number and you input it directly into the terminal.

 

As the poster mentioned above it can not be stored, written down or otherwise "saved".

 

Absolutely correct Nick.

 

If people have a merchabnt account they use to charge credit cards received by card not present means, i.e., from a proper PCI compliant manual payment gateway, a fax machine, physical mail order or over the telephone where they charge the card after they have had time to verify things themselves, then they only need to ensure their merchant account is enabled for this. Like I said before, some term this is MOTO (mail order telephone order) enabling your merchant account.

 

Once this is done the merchant account (terminal or online virtual terminal) will not (it's not allowed to) require the CVV to be entered to charge the card, although it may still ask for it for those times as Nick has mentioned above.

 

You will then not have to worry about anything to do with CVV because it is not part of the official scheme when you manually (MOTO) process credit cards. And you will be be complying with PCI (assuming your oscommerce site doesn't touch or see the cc data and you destroy the card data once you charge the card of course).

 

Here's to staying safe everyone ... :thumbsup:

 

Cheers

Link to comment
Share on other sites

  • 5 weeks later...

I went through the twenty steps to install this add on but am confused in that I do not see a CVV form field on my checkout_payment.php page. I see the name, card number, expiration month & year, BUT NO CVV field.

 

Also, I see these lines of code put out a form field and some text, but where can I modify what is being put out? Is this "$selection[$i]['fields'][$j]['title']" a fucntion call?

 

for ($j=0, $n2=sizeof($selection[$i]['fields']); $j<$n2; $j++) {

echo $selection[$i]['fields'][$j]['title'];

echo $selection[$i]['fields'][$j]['field'];

}

 

Thanks.

 

Tom

Link to comment
Share on other sites

The official line from PCI is you do not need to do anything to protect the CVV in a temporary or permanent stored situation. In fact, in PCI DSS v 2.0 they mention protection for PIN and CVV as "N/A".

 

And why is this so you may ask ...

 

Because you will NEVER have the CVV or PIN in the fist place, therefore, protecting something you don't have in your possession is "N/A".

 

The CVV must NEVER NEVER NEVER be stored either temporarily of permanently, either encrypted or not, either broken up (truncated) or complete. In short, you can NOT capture the CVV in any way, shape or form under any circumstances. Period.

 

People are getting mixed up with the "live" online processing of credit cards i.e., the direct live communication between gateway and the merchant account for processing of credit cards instantly on the internet - this DOES REQUIRE the CVV to be entered.

 

But we are not talking about live online credit card processing. We are talking about capturing credit card details to enable the business owner to then charge the card via another means, perhaps offline or into their existing merchant account facility or into a terminal. It is important to understand the difference in order for you to follow what I am saying here. And there is a HUGE difference, one system transacts live online totally without you knowing, the other you control the charging and its cheaper.

 

If you have a merchant account that "requires" the CVV to be entered and won't let you charge the card without it, then it is not a merchant account approved to charge card not present credit card payments received. You not only risk the wrath of acting illegally under PCI but if your merchant account provider finds out then I would not like to be you.

 

Now, if your merchant account is approved to allow you to charge through it credit card payments received by card not present means - some term this as a MOTO enabled your merchant account - (mail order telephone order), then it can not possibly require the CVV to be entered. It may still ask for it but leave it blank and it will process the charge without it.

 

But lets say you have a MOTO enabled merchant account or a terminal, one that allows you to charge card not present payments received, and it still requires you to enter in the CVV, it won't let you charge the card without the CVV. Well, dump that merchant account provider because they are about to be taken out of business by the card vendors themselves.

 

Let me explain. For starters that would mean they are forcing you to act illegally under PCI. In otherwords, they are forcing you to somehow capture the CVV for you to have it in your possession in some way to have it to enter into your merchant account to charge the card. But this is 100% ILLEGAL under PCI - if you do that you are setting yourself up for fines and you could lose your right to processes Visa, Master Card and American Express Cards for good.

 

If this is you then I suggest ringing your merchant account provider up and ask them directly .. "How do you suggest I capture and temporarily store the CVV so I will have it to enter into your merchant account facility when I charge the card?" They will not be able to answer that because what their advice would be would have to be to you would be for you to act illegally. And if they did this and Visa or any of the other card vendors found out about it, they would be finished, big time.

 

If you are a developer and are setting something up for your client to manually capture the CVV, if and when they get caught they could simply put their hands in the air and say "its not our fault, our developer did this" so make sure you've got a huge amount of money in the bank to pay the fine!!!

 

My three osc's do things manually, I like being in total control of what I accept online and I process offline into my MOTO approved terminal. I use a proper manual payment gateway to handle credit cards online. I'm not going to mention them because I don't want to be seen as promoting them as I've mentioned them in almost all of my posts so far (I don't want to get into trouble with moderators).

 

My advice is simple, just make sure do things the rght way and make sure your merchant account provider is also doing things the right way. It's not that hard.

 

Cheers

The only time CVV can be entered manually into a terminal is if the customer stands in-front of you with their card, showing you the cvv or giving you the card so that you can read it and enter it in directly into the terminal, or you are talking to them on the telephone and they tell you the CVV number and you input it directly into the terminal.

 

As the poster mentioned above it can not be stored, written down or otherwise "saved".

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • 4 months later...

@@ben.maleki,

 

You can delete the module from the /includes/modules/payment/ and the /includes/languages/english/modules/payment/ directories and THEN, you will need to remove the tables from the database. This is the crucial part because that is where the data is stored.

 

 

 

Chris

Link to comment
Share on other sites

  • 2 weeks later...

So is there a contribution for v 2.3 to collect the card number so it can be entered manually into an existing merchant account/terminal (without the cvv)?

 

I know in v2.2 there is a contribution (I think it may be this one) that splits the card # and stores the first 4 and the last 4 #'s in the db and then emails the middle 8 digits, that way the whole number is not stored. Is there a contribution like that for v2.3?

 

I haven't upgraded to v2.3 yet and I have been considering it the past few days, but I already have a merchant account in my store and getting a separate one just for the osc site doesn't make sense to me (if you are even allowed to have two merchant accounts)

Link to comment
Share on other sites

@@ggrant3,

 

I know in v2.2 there is a contribution (I think it may be this one) that splits the card # and stores the first 4 and the last 4 #'s in the db and then emails the middle 8 digits, that way the whole number is not stored. Is there a contribution like that for v2.3?

 

The contribution for 2.2 could be updated for use with v2.3.1, HOWEVER when the contribution for v2.2 was created there was no LAW against the collection and processing of credit card information. The contribution use is NOT suggested. Read about PCI DSS compliance here. It may vasy slightly depending on the state/ province you are located in, but the basics are presented in that link.

 

 

Chris

Link to comment
Share on other sites

So is there a contribution for v 2.3 to collect the card number so it can be entered manually into an existing merchant account/terminal (without the cvv)?

 

I know in v2.2 there is a contribution (I think it may be this one) that splits the card # and stores the first 4 and the last 4 #'s in the db and then emails the middle 8 digits, that way the whole number is not stored. Is there a contribution like that for v2.3?

 

I haven't upgraded to v2.3 yet and I have been considering it the past few days, but I already have a merchant account in my store and getting a separate one just for the osc site doesn't make sense to me (if you are even allowed to have two merchant accounts)

 

 

Close to any 2.2 module can be made to work with 2.3.1 , but in most cases you dont need to get a new "merchant account" you can simply talk to your current provider and ask them about also using it with an online shop and what payment gateways they are compatible with....

Link to comment
Share on other sites

Close to any 2.2 module can be made to work with 2.3.1 , but in most cases you dont need to get a new "merchant account" you can simply talk to your current provider and ask them about also using it with an online shop and what payment gateways they are compatible with....

 

Right now I am just using Paypal's virtual terminal. That way I can process someone in front of me or a mail/phone/website order.

 

So I guess it would be safe to assume that osc has a contribution that would use my paypal account to automatically process a site order, right? I just get overwhelmed trying to figure out all the terminology and getting everything setup, although I may very well be making it out to be harder than it really is.

 

I just want it "seamless" for the customer because I use to use some kind of paypal payment system they have (with my old html site) and when a customer got to the payment process they got confused because they were getting redirected to Paypal's site. And they got nervous or said they didn't want to pay via paypal (thinking Paypal itself was their only option), because it would show a login in screen for Paypal and have a very small text link saying they could pay without logging in or creating a paypal account, but it confused at least 80% of my customers.

 

Is there a straight forward (proven to work fine, without bugs) paypal integrated payment contribution, that you could recommend? Or is that built into osc already maybe?

Link to comment
Share on other sites

  • 2 weeks later...

Okay so I need a little more clarification with this.

 

I see collecting the CVV is bad. In the contribution that I have, there is an option to turn the CVV requirement on/off. So I have it set to off now.

 

But is it still considered "bad/illegal" to have the customer enter their credit card information onto my site and then have the middle 8 digits striped from the order and emailed to me separately so I can maually enter their credit card information (like a phone order would be processed)? Since nothing crucil is then stored on the database (only the first and last 4 digits and the exp date, which would be uselss) is this okay or not okay?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...