Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Credit card encryption add-on


Guest

Recommended Posts

Has anyone added the add-on for credit card encryption. I am trying to set it up but ran into an fatal error message.

Fatal error: Call to undefined function md5_encrypt() mysite/oscommerce/admin/encrypt_ccnum.php on line 61. Can anyone offer any suggestions?

Pat

Link to comment
Share on other sites

If your site handles CC#'s you must be PCI Compliant

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

We dont process them ourselves, but we do accept them we use authorizenet, I still want to be safe though. So I need to find out how to fix that error. There is no support group for this add-on or at lease none is mentioned in the instructions.

Pat

Link to comment
Share on other sites

We dont process them ourselves, but we do accept them we use authorizenet, I still want to be safe though. So I need to find out how to fix that error. There is no support group for this add-on or at lease none is mentioned in the instructions.

Pat

What Authorize.NET module are you using? You should NOT have any credit card information to encrypt since the CC info is not saved in your local database. You only need to pass the CC info to Authorize.NET and they save it in their system. As I'm sure you know, saving CC information on your local server puts you in a precarious position of having to maintain a very high level of security for that information.

 

We also use Authorize.NET and have absolutely no reason to save CC info. Almost any type of operation, recharging, refunding, voiding can all be done thru Authorize.NET's virtual terminal.

 

If your payment module is properly installed, the only thing you should see in your local database is 'Authorize.Net Payment' or some other terminology under the payment_method in your ORDERS table. You shouldn't see any CC information, or at VERY MOST some type of washed CC info like *5678 for the CC number.

 

Sorry, not trying to preach but be very careful about saving CC info. It can turn real ugly REAL fast. No matter how good you are at securing your info, be sure there is someone out there who knows more or is more determined to steal it.

 

Frank

Link to comment
Share on other sites

Thanks frank, I fully agree but for some reason there is a place in my database for CC numbers. I tried to just remove the row from the database but ran into other trouble so I had to put it back. Do you have any suggestions on how I can keep them off my database or encryp them?

Pat

Link to comment
Share on other sites

The DB on the site I manage has places reserved for CC info but it's all blank because the owner uses Paypal.

 

As long as it's blank it doesn't count.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thanks Jim, That is where my problem lies. Mind you it could be because it was just a test run and authorizenet was still in test mode. I'm just shooting in the dark here but maybe because authorizenet does not process, regect or approve the CC it stays on my server. I do know that I am in test mode and cant go live till I am sure I have this fixed, but I do know if i bring up the order in admin I can see the full CC number. Please offer some suggestions on how to fix this.

Pat

Link to comment
Share on other sites

Thanks frank, I fully agree but for some reason there is a place in my database for CC numbers. I tried to just remove the row from the database but ran into other trouble so I had to put it back. Do you have any suggestions on how I can keep them off my database or encryp them?

Pat

Pat,

 

You have a number of possibilities...the easiest although you may not want to do it since you have already invested time in testing. Is to install another Authorize.NET payment module. There are a number in the contributes area and most will not save the CC information. We use the module that came with the MS2.2 version of OScommerce.

 

The install usually only consists of replacing 2 files the

/catalog/includes/modules/payment/authorizenet.php

/catalog/includes/languages/english/modules/payment/authorizenet.php

 

they may be called something slightly different depending on what module you are using, also don't forget to replace any additional language files.

 

The other possibility..NOT the best solution.. is to change the /catalog/checkout_process.php and tell it to write a BLANK to the orders DB.

edit /catalog/checkout_process.php and find around line 91

MAKE SURE YOU SAVE A BACKUP FIRST....it's always better to be safe than to be sorry.

 

'cc_number' => $order->info['cc_number'],

 

change to (2 lines, just to save the original code)

// 'cc_number' => $order->info['cc_number'],

'cc_number' => NULL,

 

This will write NULL(nothing) to the cc_number, any CC information you should need will be on Authorize.NET website. Encrypting the CC number involves both encrypting tham and also decrypting them, so there are a number of other web pages that would need to be changed in addition to adding the neccessary encrypt/decrypt functions.

 

Feel free to ask any questions or you need better directions, just ask.

Frank

Link to comment
Share on other sites

Thanks Frank, so I only need to make that change to one file? I am using the authorizenet module that came with ver. 2.2 rc2a. When I change that code it will not prevent the numbers from being submitted to authorizenet correct?

Pat

Link to comment
Share on other sites

Frank I found a few, but what is better AIM or SIM. I have the SIM used right now maybe that is my trouble. I also found one that is the latest release Authorize.Net AIM (PCI DSS SSL V3) which do you recommend?

Pat

Link to comment
Share on other sites

Frank I found a few, but what is better AIM or SIM. I have the SIM used right now maybe that is my trouble. I also found one that is the latest release Authorize.Net AIM (PCI DSS SSL V3) which do you recommend?

Pat

 

Authorize.NET will reccommend using AIM, AIM is better because it creates a secure connection between your web site(server) and Authorize.NET. The SIM uses several different security features that are built into it. Both require a SSL certificate so I would go with an AIM module.

 

There are requirements to using AIM though, you need to save an SSL certificate installed on your server. If you are on a shared server with other websites, your host probably already has a shared certificate on that server that you can use. This is simple but it does have drawbacks, because this certificate is shared by everyone on your server. You can also purchase your own SSL certificate and install it, you will need to have a dedicated IP address to do this. Make sure that these are options your host can provide and that they are within your budget.

 

You may want to look at this AIM contrib... it is simply 2 files(1 more for any language in addition to english)

http://addons.oscommerce.com/info/5662

 

Let me know if you need any assistance.

Frank

Link to comment
Share on other sites

Thanks Frank, so I only need to make that change to one file? I am using the authorizenet module that came with ver. 2.2 rc2a. When I change that code it will not prevent the numbers from being submitted to authorizenet correct?

Pat

Oops , sorry I missed this post when I replied. If you add a new payment module run some test transactions first and maybe even a SMALL live transaction. The CC info with a new module should not be there. If it is, the change I mentioned will only affect what is being written to the DB. Like I said ALWAYS back up files before changing them...better to be safe than sorry.

 

Frank

Link to comment
Share on other sites

Thanks frank. I am deleting the old Authorizenet now and installing the new one. I also need to make the changes to the config files for SSL. I tried to find out about buying a dedicated one but my host wont let me do that. ;-( I will let know you how it goes unless you have pointers on the config files. I have read the 1,2, 3, instructions but ended up more confused. Some put in 4 lines others it seems like they put in 20 lines.

Pat

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...