Jump to content
Gyakutsuki

which payment module do you use in your shop ?

Recommended Posts

hi, I'm not sure if this is the best page to pose this question, but this forum page has more recent posts than some of the other ones I looked at.

I'm working on BS Edge with PHP7.2 and am trying to figure out what credit card payment module to install. MS2.2 had the following payment module in /includes/modules/payment/cc.php ..however, BS edge and later versions do not have this file.

So, ..do I update that file and install it in BS Edge or is there a simpler Credit Card module solution? Does anyone know?

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

I'm not sure that the CC module is legal.  It stores unencrypted copies of the credit card number in your database.  So I don't think that it is PCI compliant. 

And beyond that, it doesn't authorize the card. 

If your credit card processor allows online transactions, they should tell you what gateway to use.  That processor should automatically authorize the payment (capture can be done manually).  You should never store credit card details.  At most they pass through you on the way to the processor. 


Always back up before making changes.

Share this post


Link to post
Share on other sites
Quote

I'm not sure that the CC module is legal.  It stores unencrypted copies of the credit card number in your database.  So I don't think that it is PCI compliant. 

And beyond that, it doesn't authorize the card. 

If your credit card processor allows online transactions, they should tell you what gateway to use.  That processor should automatically authorize the payment (capture can be done manually).  You should never store credit card details.  At most they pass through you on the way to the processor. 

hi Matt,

I think that MS2.2 payment module stored CC numbers in the database, but not any CVV or CVC2. PCI compliance prohibits storing these numbers but not the CC numbers, otherwise sites like Amazon and eBay (and many others) would require you to enter your CC number each time you make a purchase. 

So, as I understand it, I have to select a merchant account first and then apply a module for that account from the payment modules list to be able to process cards? I don't think this was the case with MS2.2 ..What if I just want to use a CC module to test it and different features related to it without selecting a merchant account?

What I am saying is that the payment gateway was separate from the CC module and you could previously install that module and manage it without actually processing payments via a gateway. Is this no longer the case?

 

Edited by Demitry

osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites
4 hours ago, Demitry said:

PCI compliance prohibits storing these numbers but not the CC numbers, otherwise sites like Amazon and eBay (and many others) would require you to enter your CC number each time you make a purchase. 

But they have to be stored separately, in an encrypted table, possibly in a separate database.  For example, at Amazon.com they are stored in what are called the credit card motels.  The CC motels are not on the internet.  To access them, Amazon.com has special servers that communicate with the motels via serial ports (actual physical cables).  And while those servers are also networked, they are deep behind the Amazon firewalls. 

The osCommerce CC module didn't do any of that.  It would be possible to do that, but that's not the right module.  And I don't know that anyone is going to write such a module, as the requirements are stringent and the liability is high. 

And it's not actually required to store the CC number in order to access the credit card for repeat purchases.  It is also possible to store just a reference to the credit card.  Then Visa or MC or whatever can bill the right account.  They just need to track which of these identifiers are associated with which account.  That's strictly safer, as the credit card info only needs to be given once and is never stored at all (except possibly for the last four digits, which are often used for identification).  It's even possible that Amazon.com does it that way now.  I don't know what has happened there since 2008. 

Meanwhile, any payment processor is now responsible for seeing that merchants are PCI compliant.  So rather than have you take the credit card details and then communicate the information with them manually, they are going to want to see a whole system that processes the information in an automated fashion.  Usually they do this by giving you a payment gateway to use and asking you to integrate with it either by passing the credit card information immediately or by switching the customer to them to collect the credit card details. 

The days of taking the credit card information and then typing it into the machine or phoning them in for authorization should be over.  Payment processors should keep you from doing that now, partially by requiring a CSC/CVV, which as you note, should never be stored. 

5 hours ago, Demitry said:

What if I just want to use a CC module to test it and different features related to it without selecting a merchant account?

Well, go ahead.  But you still need to get someone to answer the authorization requests, possibly with a test server.  I used to have several accounts for that, e.g. on PayPal's sandbox and Authorize.net's test servers.  It may be possible for you to sign up for them, although it's my understanding that the requirements have been getting more and more stringent.  And that would then limit you to payment processors who support that particular gateway.  For example, PayPal is the only processor that uses the PayPal gateway for authorizations.  Authorize.net covers more processors, but not every processor (for example, I don't believe that you can use Authorize.net with PayPal as the processor). 


Always back up before making changes.

Share this post


Link to post
Share on other sites
Quote

But they have to be stored separately, in an encrypted table, possibly in a separate database.  For example, at Amazon.com they are stored in what are called the credit card motels.  The CC motels are not on the internet.  To access them, Amazon.com has special servers that communicate with the motels via serial ports (actual physical cables).  And while those servers are also networked, they are deep behind the Amazon firewalls. 

Thank you for the explanation, Matt. I was not aware of all that.

So, basically I need to sign up for a gateway / merchant account first, ..then install and modify the available osC credit card payment modules that is made for that account?

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

@DemitryThe authorize.net CIM module is meant for this purpose. But it does require an account with them and, I think, there is an extra charge for that option. So the charges for using that module may prevent it from being a good solution.

Share this post


Link to post
Share on other sites
Quote

The authorize.net CIM module is meant for this purpose. But it does require an account with them and, I think, there is an extra charge for that option. So the charges for using that module may prevent it from being a good solution.

thanks Jack, I'll take a look at it. I'll see if they have some sort of a sandbox option for testing prior to going live, ..preferably one that is free to test. I really did not want to use authorize.net as the merchant account/gateway, but will see.

 

 

Edited by Demitry

osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

Paypal Express Checkout and Stripe on my existing 2.3.4 store.

Paypal Express Checkout (app) and Stripe SCA on Phoenix 1.0.4.0, but haven't switched over yet (getting real close, though!).

Share this post


Link to post
Share on other sites

The most used is Post payment "Contra reembolso" cod.php, the cost apply to customer is around 2-3%  depending on carrier.
The problem for this option is if the customer rejects the order you lose the cost of shipping plus the commission.

The second is credit card offline processing , cc.php but not is in phoenix and now not have this payment option.
In old version you can combine with encrypted numbers:
https://apps.oscommerce.com/6k8vd&credit-card-number-encryption
https://apps.oscommerce.com/PO2Xr&gpg-credit-card-encryption-0-94-english
https://apps.oscommerce.com/9nDgB&encrypted-credit-card-with-cvv2

And use a cleaner numbers https://apps.oscommerce.com/czuzW&credit-card-numbers-cleaner
for clear after use.

This method we use because the store not have ssl and not have requirements for direct bank process,
so we have the option for payment by telephone, the risk is always ours, in 15 years, 5 attempts only 1 lost.

I know this method is insecure both for the client and for us, but is required for now.
The cost for offline processing is only 0,30% not apply to customer.
And the redsys credit card neither is ported to phoenix

The third is bank transfer at 0%

And the last collect in store at 0%

We never use paypal because have high commissions and much customers use buyer protection for dispute and paypal trust the customer before the store,
but really much people only want pay with paypal by this protection.

Share this post


Link to post
Share on other sites

@domiosc

hi Vicent,

Thank you for that information. Actually, I redid the old Credit Card module (cc.php) for BS Edge. I have not tested it yet, but it should work for what I'm looking to do before actually getting a merchant account.

 

Quote

But they have to be stored separately, in an encrypted table, possibly in a separate database.  For example, at Amazon.com they are stored in what are called the credit card motels.  The CC motels are not on the internet.  To access them, Amazon.com has special servers that communicate with the motels via serial ports (actual physical cables).  And while those servers are also networked, they are deep behind the Amazon firewalls. 

hi Matt,

I took a look at the customers database table and even in the latest version of Phoenix there is a column for credit card numbers. I'm not sure if these are now encrypted or as per Vicent, you still have to get a separate addon installed for that. Anyway, having these in the customers table does not kill the PCI compliance. I ran a PCI complaisance test on my BS Edge site on https://www.immuniweb.com and it came back with everything good except for the Content Security Policy, which goes in the main htaccess file. See screenshot below.

 

@Jack_mcs

hi Jack,

From our prior conversation, you mentioned that the Credit Card module was removed for PCI non-compliance, however, I ran a test with that module redone for BS Edge on https://www.immuniweb.com and it came back clean for PCI compliance. I'm not sure if there is something else that was the cause, but I just wanted to let you know my findings.

 

PCI-Test.thumb.png.5108d8b6260bf8dc4ef3567db1a8507b.png

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites
7 hours ago, Demitry said:

From our prior conversation, you mentioned that the Credit Card module was removed for PCI non-compliance, however, I ran a test with that module redone for BS Edge on https://www.immuniweb.com and it came back clean for PCI compliance. I'm not sure if there is something else that was the cause, but I just wanted to let you know my findings.

If you have a PCI company perform the scan, you have to tell them you do not store cc data on the server, which the cc module does. If you are truthful and say that you do, there are many other questions involved regarding the security of the server and your site. A web site like the one you mention probably can't address all of those issues. And if you ended up in a dispute with a cc company, saying you passed that sites test would probably not count for anything.

If you don't have a PCI company perform a scan, then you can do what you want. You will still be responsible for fraudulent orders, and the penalties could be severe, but that is a decision the shop owner has to make. As mentioned previously, a number of my clients use the cc module. The savings in cost for cc processing is substantial for busy sites and as long as the split option is used in the module, it should be safe.

Share this post


Link to post
Share on other sites
15 hours ago, Demitry said:

Actually, I redid the old Credit Card module (cc.php) for BS Edge. I have not tested it yet, but it should work for what I'm looking to do before actually getting a merchant account.

@Demitry do you plan to release your version?
for add more security need implement encrypt and clear or combine with other apps

Share this post


Link to post
Share on other sites
Quote

If you have a PCI company perform the scan, you have to tell them you do not store cc data on the server, which the cc module does.

Jack, thank you for the explanation. The CC module adds only the card number, expiration date, and card type to the customers database table, but so do the other CC processing modules. And even the latest version of osC Phoenix has these columns in the customers database table.

 

Quote

... and as long as the split option is used in the module, it should be safe. 

what do you mean by split option? I could not find anything related to this.

 

~~~~

Quote

do you plan to release your version?

Vicent, I did not plan on it because it was removed from osC and introducing it back in as an addon will likely conflict with the underlying purpose of why it was removed in the first place. As Jack said, it was a PCI compliance issue, but I am not 100% sure if this was the only reason. There may have been other security issues that were part of that decision to remove it as well.

Aside from that, I do not use the left or right columns in the osC layout so, my CSS is not structured for that layout - specifically, when resizing the browser. Here is a screenshot of what my payment page looks like. I am currently just using these modules for testing and only plan on having a CC module (via a merchant account) and a PayPal module as payment options.

 

payment-page.thumb.png.fecc767600ce3cc8252596cc0b593933.png


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

OK. The safest thing will be not to use.
The reason is not need ccv to process payment and is easy get numbers and expiration date from any card or simply test to generated,
this contributes to crime.

Share this post


Link to post
Share on other sites
1 hour ago, Demitry said:

And even the latest version of osC Phoenix has these columns in the customers database table.

The fields are there but I don't think the payment modules use them. At least, I know the Paypal and Authorize.net modules don't.

 

2 hours ago, Demitry said:

what do you mean by split option? I could not find anything related to this.

My version, which is not the standard one, has an option to split the cc number. It has been a while since I've looked at the original but I thought that was in all of them. When used, the code splits the cc number and stores part in the database and sends the other part in an email. That way, there is no way for hackers to get the whole number should they get access to your database.  I'll upload it as an addon when I get the time. Maybe it will be useful to someone.

Share this post


Link to post
Share on other sites
Quote

The fields are there but I don't think the payment modules use them.

I did not know that. I assumed that they would have been removed if they were not going to be used.

 

Quote

My version, which is not the standard one, has an option to split the cc number. It has been a while since I've looked at the original but I thought that was in all of them. When used, the code splits the cc number and stores part in the database and sends the other part in an email. That way, there is no way for hackers to get the whole number should they get access to your database. 

Ah, that is part of the module, but I could never figure out what that description meant because it did not make much sense to me. Here is the screenshot of it below. Thanks for explaining it.

 

cc-card-no-option.png.5e3dd6dd099556c6cff2c4765ff60f6f.png


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites
8 hours ago, Demitry said:

I did not know that. I assumed that they would have been removed if they were not going to be used.

Some sites might want to enable the code to store the details. It would be a mistake, in my opinion, if they were removed.

For the split option, the existing modules, as far as I know, only allows for one email address. If that address fails for some reason then you can't recover the cc numbers sent to it. I've seen this happen more than once so you need to be careful with it. My version allows for multiple addresses to make the chance of that happening less likely.

Share this post


Link to post
Share on other sites
Quote

My version allows for multiple addresses to make the chance of that happening less likely.

ok man, ..we're waiting on your version. ...whenever you get time.

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

I'm also looking at the options for the payment module, as I set up my online shop. I was mainly looking at sage pay, but no one seems to be recommending it here? I'd really rather avoid PayPal, after a nightmare experience I had with them previously. They kept taking money and being an absolute nightmare when Id contact them to sort out, telling me to call the other company, who kept telling me Paypal needed to sort it, which ultimately led to being out of pocket, unable to pay a bill, which caused me to take out a loan - in the end I ended up with debt and had debt collectors intimidating me at my door. Sorted now. But I will never use PayPal again. Not worth the hassle of dealing with their customer service 

 So is the general consensus PayPal or authorize? Has anyone used sage pay? I used to use sage when I was an accounts assistant, so figured that could be a good option. I don't know anything about authorize. 

Edited by Jan Zonjee
removed probable spam link....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×