Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Old credit card type method


andrewdegenhardt

Recommended Posts

I installed Os Commerce sometime in 2008, and this particular version of OS Commerce had a payment type where the customer could type in their credit card #, expiry, name, billing address and then the store owner could take that number and run it on a portable debit machine. One of my clients used to do the online store that way and I never set up paypal for the site. But now I can't see that payment option in the list of modules, is it no longer available? Can I find this module and install it?

Link to comment
Share on other sites

Andrew,

 

Stores that are going to accept credit card information are now required (in most states/provinces) to be PCI DSS compliant. This is a COSTLY certification with strenuous requirements on both the code and the hosting server. To most, this added cost (said to be between $7000-$10000) is not worth the cost and MANY ecommerce store owners now look to online payment services such as PayPal, Authorize.net and Sage Page.

 

Therefore the CC module is no longer available in v2.3.x

 

 

Chris

Link to comment
Share on other sites

Chris- I'm a bit confused here. Why would you limit functionality of a system or deprecate functionality because there are many users who don't need it, even though you have many existing users who do?

I understand compliance and security needs and fully support them- but just saying 'a lotta users don't need it' or 'shouldn't use it because third party says so' doesn't really cut it in the open source community. Also it should be noted that the features page of osc says specifically that offline payments - credit card is available in milestone releases.

Link to comment
Share on other sites

Chris- I'm a bit confused here.

Me too. But the reason is far different. In an open source eCommerce solution like osCommerce it is often used by nontechnical persons that have not even built their first web site, let alone a solution that has the potential to collect personal information and credit card details waiting to be stolen by the first hacker that comes along.

 

Not to mention that the credit card module that is shipped with osC previous releases specifically said 'Not for Production Use' and it was ignored by many and thus there are tons of hacked online stores out there just waiting for me to put in my credit card details...

 

It is rather simple. The osC developers do not wish to continue to add to the massive amount of credit card fraud going on in this world. If you want a solution to accept credit card yourself, and wish to subject yourself to the tens of thousands of dollars in fines, or potentially violate your credit card processing agreement by taking online payments when your agreement does not provide for it, then there are OPEN SOURCE credit card modules out there, or you can code your own. The open source community has no obligation to provide you with one.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

  • 2 weeks later...

I've read through the PCI DSS compliance rules, and forgive me if this is incorrect, but I don't think they apply to folks who were using the "split credit card number" method and saving only a certain number of digits to their database. For example, I believe the PCI DSS states that it's perfectlt acceptable to actually keep and even DISPLAY to the customer the first 6 and last 4 digits of a credit card number.

 

I realize that some people were just being absolute idiots and storing entire credit card numbers in an unencrypted database, but shouldn't the split option still be included?

Link to comment
Share on other sites

Joe,

 

If the credit card number is obtained and stored complete at any point, then you need to be PCI DSS compliant. So, in the order your receive you get all numbers except the middle 8 and can view them from your local machine. You then receive an email identifying that order and customer with the remaining 8 digits. Now, the credit card information is complete and requires PCI DSS compliance.

 

I am sure there are ways to skirt around the compliance process, but I wouldn't. I personally know of a company located in the southern USA that was fined $80,000 for non-compliance and after he went through that process, he was sued in civil court by the customers whose information was stolen from his website. Needless to say, he is no longer in business anymore.

 

The benefits of accepting credits in the manner is not worth the risk.

 

 

Chris

Link to comment
Share on other sites

If the credit card number is obtained and stored complete at any point, then you need to be PCI DSS compliant. So, in the order your receive you get all numbers except the middle 8 and can view them from your local machine. You then receive an email identifying that order and customer with the remaining 8 digits. Now, the credit card information is complete and requires PCI DSS compliance.

 

I get your point, but the credit card number is not being stored as complete at any point in this process. Just because I can see an email on my screen, and see a web browser page on my screen at the same time in no way means that these items are stored together. The numbers are still separate. One is stored on my local machine, or an alternate email server. The other number is stored in a MySQL database on a different server.

 

The PCI DSS specifically states that the entire number cannot be stored digitally at any one server. This is not storing the number at one server.

Link to comment
Share on other sites

  • 1 month later...

I get your point, but the credit card number is not being stored as complete at any point in this process. Just because I can see an email on my screen, and see a web browser page on my screen at the same time in no way means that these items are stored together. The numbers are still separate. One is stored on my local machine, or an alternate email server. The other number is stored in a MySQL database on a different server.

 

The PCI DSS specifically states that the entire number cannot be stored digitally at any one server. This is not storing the number at one server.

 

So have we found a solution to this yet? I have an osCommerce solution set up on a customer of mine's site, and I need to get it live within the next few days. And this is exactly how I need it set up. Is there a solution to this? Please someone tell me there is.

Link to comment
Share on other sites

The solution is, Apply to become PCI DSS compliant OR Use an online payment processor like Authorize.net, PayPal, Linkpoint or Beanstream

 

 

 

 

 

 

Chris

Link to comment
Share on other sites

  • 1 month later...

Chris is correct.

 

If your site so much as touches credit card data then it needs to be PCI DSS compliant. It doesn't matter if the card numbers are truncated (broken up), it doesn't matter what type of encryption you have, it doesn't matter what SSL you have, it doesn't matter even if the card details are being sent off to a gateway for processing. Only PCI Compliance certification makes you PCI compliant. And trust me you don't want to risk it.

 

However, the solution for your particular issue is a lot easier than you think. Take a look at http://e-path.com.au. e-Path is a PCI DSS compliant manual payment gateway - I think ideal for what you are wanting to stay doing.

 

I like the manual method myself. Its cheap, I stay in control over things, I can use my existing merchant terminal to charge cards and as far as what I do online goes I'm now PCI compliant.

 

Cheers

 

HP

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...