Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

All Payments Processed Offline


Art Clay World

Recommended Posts

We have decided to implement osCommerce on our website, but we do not want to process any payments directly online. We would rather receive all order information including payment type (MC, VISA, AMEX, DISC, PayPal, Check, Money Order, etc.) and payment information. I'm sure you're going to ask why, and the reason is simple. We have an internal accounting software that we HAVE to enter all order information into and it has it's own payment gateway and virtual terminal. Since we have to enter all the information, we would rather receive only the order information and process it through the accounting software. This also allows us to modify any pricing or order totals before processing the payment. In addition, it allows other businesses that have "net terms" or that pay by check to use the shopping cart but not have to pay at the time the order is submitted.

 

So, the question is there a module that has been created that bypasses the payment processing or is this as simple as not setting up the payment processing portion of osCommerce?

 

Any advice or assitance is greatly appreciated!

 

Mike

Link to comment
Share on other sites

We have decided to implement osCommerce on our website, but we do not want to process any payments directly online. We would rather receive all order information including payment type (MC, VISA, AMEX, DISC, PayPal, Check, Money Order, etc.) and payment information. I'm sure you're going to ask why, and the reason is simple. We have an internal accounting software that we HAVE to enter all order information into and it has it's own payment gateway and virtual terminal. Since we have to enter all the information, we would rather receive only the order information and process it through the accounting software. This also allows us to modify any pricing or order totals before processing the payment. In addition, it allows other businesses that have "net terms" or that pay by check to use the shopping cart but not have to pay at the time the order is submitted.

 

So, the question is there a module that has been created that bypasses the payment processing or is this as simple as not setting up the payment processing portion of osCommerce?

 

Any advice or assitance is greatly appreciated!

 

Mike

 

Bump as I'm after the same thing

Link to comment
Share on other sites

If you wish to store any CC info your server must be PCI compliant - read this post for more information about it.

 

You will also need permission from your acquiring bank to process "e-commerce" transactions as a "CNP" (card holder not present) order - many do not permit this.

 

If you are going to do what you propose you would also prevent cardholders from using 3D-Secure (Verified by Visa / Mastercard Securecode) which would normally remove the liability in the case of fraud from your business.

 

If your concern is that the order value may change at the time of shipping almost all online payment gateways allow you to process the transaction as a shadow so that the card is authorised but no money taken until you choose to "release" the payment (at which point you can change the value of the transaction).

 

It is cheap, safer, more secure, more convienent etc in the long term to go with a direct online processing solution

Link to comment
Share on other sites

If you want to run the credit card own your own then go to your admin and under payment modules, just select "Credit Card (not for production use)". Don't worry about the not for production use part. When someone buys something you will be emailed that you have an order and it will give you the items and price in the email. Then you can go to the admin and find the type of card, card number, expiration date, and more.

Link to comment
Share on other sites

and then you get sued for tens of thousands for storing CC info in a none compliant way that is open to anyone to help themselves to fraudulently.

 

The rules are there to protect everyone - follow them

Link to comment
Share on other sites

  • 4 weeks later...
We have decided to implement osCommerce on our website, but we do not want to process any payments directly online.

So, the question is there a module that has been created that bypasses the payment processing or is this as simple as not setting up the payment processing portion of osCommerce?

Any advice or assitance is greatly appreciated!

Mike

Hello Mike,

did you have any successful replies to this post, I also need to have the customer place his order without any payment processing.

We wholesale to a special customer base with individual invoicing procedures. I can't see this as being particularly unusual.

This has got to be possible - why don't any of the cms shop systems seem to have this facility.

regards - spike

Link to comment
Share on other sites

Hello Mike,

did you have any successful replies to this post, I also need to have the customer place his order without any payment processing.

We wholesale to a special customer base with individual invoicing procedures. I can't see this as being particularly unusual.

This has got to be possible - why don't any of the cms shop systems seem to have this facility.

regards - spike

 

Hey Spike,

 

Unfortunately, no I haven't had any reasonable responses. I understand everyone's concerns about security, but I don't think that they realize exactly what I'm trying to do. Although, you would figure that there are more than a few stores out there that still utilize a SSL for encrypting the data transmission. Actually, our current shopping cart splits the information so that it splits the payment information into an email with the expiration date and verification code, whereas the card number is encrypted in the database. We actually have some pretty extreme security controls.

 

The long and short, no help yet. I'll keep everyone posted if I figure something out or get any good advice.

Link to comment
Share on other sites

splits the payment information into an email with the expiration date and verification code,

Firstly, email is the most insecure system possible.

Secondly, you are not allowed to store the verification code (CVV code) at all

Thirdly, encryption is not enough to protect the credit card number. Is your site PCI compliant (dedicated db server with physical and software access restriction etc) and certified as such?

 

If, because of complex requirements, you don't wish to charge the customer at the time the order is placed then simply use an online gateway to create a deferred transaction (i.e. a shadow transaction that authenticates the card), which can be released to the correct order value when you are ready - security issues solved!

Link to comment
Share on other sites

Ok, I've decided to give a better explanation...

 

We want to use the shopping cart in a standard matter, however, when it comes to the payment processing, we DO NOT want the card to be authorized or captured. We want to do the authorization and capturing through a separate processing unit that does not have a website integration feature. We would still use and SSL and follow every other standard procedure of the shopping cart.

 

Hopefully this explains the circumstances better. We in no way want to collect and store billing information.

Link to comment
Share on other sites

I would like to do the same thing. We have a credit card terminal, and all our customers pick up their items. but we would like to be able to get their payment info online.

 

the built in system does not work i guess? i thought the idea of storing part of the card in the DB and part sent in email would not be bad. We would delete the card info from the databsae as soon as the card was processed.

 

if the built in system is no good for that, is there some way for us to do this? basically the requirement is to use our credit card machine. that is the only requirement.

Link to comment
Share on other sites

For everyone looking into this, you must have missed the post a few posts back stating to use the credit card processing (not for production use) module in payment options. This will store credit card information.

 

You will not be PCI compliant, but it you will be able to store them without the card being processed online. You will see the credit card information on each order. I would suggest you at least remove the cc information daily after you are finished entering the information.

 

Oh yeah, I would not at all advise this, but there you go.

Link to comment
Share on other sites

For everyone looking into this, you must have missed the post a few posts back stating to use the credit card processing (not for production use) module in payment options. This will store credit card information.

 

You will not be PCI compliant, but it you will be able to store them without the card being processed online. You will see the credit card information on each order. I would suggest you at least remove the cc information daily after you are finished entering the information.

 

Oh yeah, I would not at all advise this, but there you go.

 

i didnt miss it, its just that it doesnt work.

 

i always get the error:

 

The first four digits of the number entered are: 5231<br>If that number is correct, we do not accept that type of credit card.<br>If it is wrong, please try again.

 

I have been using real numbers and they dont work. plus i dont know why i am getting that <br> in there.

Link to comment
Share on other sites

The first four digits of the number entered are: 5231<br>If that number is correct, we do not accept that type of credit card.<br>If it is wrong, please try again.

 

What version of osC are you using. Also please post your cc_validation.php class.

 

plus i dont know why i am getting that <br> in there.

 

The <br> is in the error string returned by cc_validation.php. This in my opinion is a flaw in the osC payment module. I have fixed this on my site by storing errors in a session variable rather than returning them in the url. This way I was able to format the error and get rid of the <br> nonsense.

Link to comment
Share on other sites

What version of osC are you using. Also please post your cc_validation.php class.

 

 

 

The <br> is in the error string returned by cc_validation.php. This in my opinion is a flaw in the osC payment module. I have fixed this on my site by storing errors in a session variable rather than returning them in the url. This way I was able to format the error and get rid of the <br> nonsense.

 

its 2.2-ms2

 

and the file contents are:

 

<?php
/*
 $Id: cc_validation.php,v 1.3 2003/02/12 20:43:41 hpdl Exp $

 osCommerce, Open Source E-Commerce Solutions
 [url="http://www.oscommerce.com"]http://www.oscommerce.com[/url]

 Copyright © 2003 osCommerce

 Released under the GNU General Public License
*/

 class cc_validation {
   var $cc_type, $cc_number, $cc_expiry_month, $cc_expiry_year;

   function validate($number, $expiry_m, $expiry_y) {
     $this->cc_number = ereg_replace('[^0-9]', '', $number);

     if (ereg('^4[0-9]{12}([0-9]{3})?$', $this->cc_number)) {
       $this->cc_type = 'Visa';
     } elseif (ereg('^5[1-5][0-9]{14}$', $this->cc_number)) {
       $this->cc_type = 'Master Card';
     } elseif (ereg('^3[47][0-9]{13}$', $this->cc_number)) {
       $this->cc_type = 'American Express';
     } elseif (ereg('^3(0[0-5]|[68][0-9])[0-9]{11}$', $this->cc_number)) {
       $this->cc_type = 'Diners Club';
     } elseif (ereg('^6011[0-9]{12}$', $this->cc_number)) {
       $this->cc_type = 'Discover';
 } elseif (ereg('^(3[0-9]{4}|2131|1800)[0-9]{11}$', $this->cc_number)) {
       $this->cc_type = 'JCB';
     } elseif (ereg('^5610[0-9]{12}$', $this->cc_number)) {
       $this->cc_type = 'Australian BankCard';
     } else {
       return -1;
     }

if (is_numeric($expiry_m) && ($expiry_m > 0) && ($expiry_m < 13)) {
       $this->cc_expiry_month = $expiry_m;
     } else {
       return -2;
     }

     $current_year = date('Y');
     $expiry_y = substr($current_year, 0, 2) . $expiry_y;
     if (is_numeric($expiry_y) && ($expiry_y >= $current_year) && ($expiry_y <= ($current_year + 10))) {
       $this->cc_expiry_year = $expiry_y;
     } else {
       return -3;
     }

     if ($expiry_y == $current_year) {
       if ($expiry_m < date('n')) {
         return -4;
       }
   }

     return $this->is_valid();
   }

   function is_valid() {
     $cardNumber = strrev($this->cc_number);
     $numSum = 0;

     for ($i=0; $i<strlen($cardNumber); $i++) {
       $currentNum = substr($cardNumber, $i, 1);

// Double every second digit
       if ($i % 2 == 1) {
         $currentNum *= 2;
       }

// Add digits of 2-digit numbers together
  if ($currentNum > 9) {
         $firstNum = $currentNum % 10;
         $secondNum = ($currentNum - $firstNum) / 10;
         $currentNum = $firstNum + $secondNum;
       }

       $numSum += $currentNum;
     }

// If the total has no remainder it's OK
     return ($numSum % 10 == 0);
   }
 }
?>

 

 

i tried a legit MC and a legit Amex number to test and they didnt work. (just changed a couple of the middle numbers) but left the first 4 the same, but it says the first 4 are no good

 

you are using this CC module? everyone is saying how bad it is to use it....

 

EDIT: i just realized that the error about the first 4 numbers only comes up when i put the card number in with too many digits. if i put a real card number in, with the correct digits, it says "The credit card number entered is invalid.<br>Please check the number and try again."

 

also i was able to just remove the <br>'s from the error by editing includes/languages/english.php

Edited by mike240se
Link to comment
Share on other sites

EDIT: i just realized that the error about the first 4 numbers only comes up when i put the card number in with too many digits. if i put a real card number in, with the correct digits, it says "The credit card number entered is invalid.<br>Please check the number and try again." also i was able to just remove the <br>'s from the error by editing includes/languages/english.php

Help BB Code Help

Help Toggle Side Panel

Link to comment
Share on other sites

OK i realized the problem. so dumb on my part, i thought as long as the first 4 were ok, i could change the other numbers around. didnt realize there was a formula to make sure a card number was valid. i used a valid expired card i have and it worked.

 

the only thing is, even though i put an email in the module, it didnt email the middle digits to that address.

 

now i assume it would be crazy to use this module without SSL right?

 

would i need a shared or private ssl? i have hostgator, i think they offer a shared ssl which they say is used to take cc purchases. so would that work?

Link to comment
Share on other sites

What part of not for production use are people having difficulty understanding?

 

 

Hi Tom,

 

I did not see, "not for production use" in the "Credit Card" module. Are you saying that this module doesn't work on an active site? Sorry for the misunderstanding.

 

 

 

-Sean

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...