Jump to content
Sign in to follow this  
walkities

Linkpoint Question

Recommended Posts

Tried searching but can never seem to get a clear answer or find an answer at all. I set up linkpoint through OsCommerce and thought I read that it stores the credit card # in the database, is this true? If so how would could I set it up so I can make it so the # isnt in the database. I know all about the splitting option with other credit card payments but this doesnt look like its available with Linkpoint.

Share this post


Link to post
Share on other sites

I agree - I need an answer to this question as well - Isn't there an modification to the LinkPoint Contribution that can be made to plit the CC Numbers?


John Skurka

Share this post


Link to post
Share on other sites

I don't understand what you're asking, because my Linkpoint transactions sends me an email with the middle numbers. The first and last four are in the database. This is the only thing I DO like about Linkpoint (authorize doesn't do that as far as I now, at least it doesn't do it for my other sites). I would have switched to authorize.net for this site I'm launching, but I already had this account from a couple years ago so I decided I may as well use it for now and this is a nice feature.

Share this post


Link to post
Share on other sites
I don't understand what you're asking, because my Linkpoint transactions sends me an email with the middle numbers.  The first and last four are in the database. 

Hmmm. Well mine doesn't seem to be working that way. The entier number is in the database. I do get the e-mail with the middle numbers, which I couldn't figure out. Must be that there is something funny going on with my installation of LinkPoint. Are you using the Basic or Full version of LinkPoint?


John Skurka

Share this post


Link to post
Share on other sites

We use LinkpointMS1andMS2 Release 2, and have full credit card numbers and expiry dates in our osC database. Yikes, thanks for bringing this up.


"Buy the ticket, take the ride..." -HST

Share this post


Link to post
Share on other sites

OK, I activated osC's LinkPoint email option...

 

'Email where to send the middle 8 number of the credit card.'

 

...and it STILL records the entire cc number in the database. What good is that? <_<


"Buy the ticket, take the ride..." -HST

Share this post


Link to post
Share on other sites
OK, I activated osC's LinkPoint email option...

 

'Email where to send the middle 8 number of the credit card.'

 

...and it STILL records the entire cc number in the database. What good is that? <_<

WELL, it's nice to know that I'm not the only one having this problem. I've copied the latest linkpoint contrib and installed it, and it still does the same thing.

I've resorted to manually deleting the card number after the approval process. This is a pain the rear, but something that has to be done.


John Skurka

Share this post


Link to post
Share on other sites

Clifton Murphy here, co-author of the module.

 

It operates as designed. The database is secure and therefore stores the entire number. Would you rather it not?

 

If you dont store the entire number in the database you would not be able to checkout as the cashiering process happens after the data is stored in the database. If we didnt store the number, there would be no data to send to linkpoint.

 

Besides that, what if there was a problem with linkpoint? what if you had no data such as card number to verify you actually took the order in the first place? How would you be able to cross reference with linkpoint which customer actually purchased using which card?

 

It is illegal in the US to store CVV codes and as such none is stored. It is also a security risk to send the whole credit card number via email, so we only send the first and last numbers as a reference to let the store owner quickly find the correct order, credit card and pair them up if need be.

 

We can make custom modifications to this if you like and get it to do whatever you wish.

 

The module was written with the majority in mind and works very well for most people. If you are not one of those peoploe please contact our offices for a customization.

 

Visit us online for information on our module installation and customization services.


Clifton Murphy

Share this post


Link to post
Share on other sites
It operates as designed. The database is secure and therefore stores the entire number. Would you rather it not?

So why does "kepa's" version of Linkpoint only store the middle 8? (from a post above)

 

The DB is secure, really? The PW is in a file! Doesn't seem secure to me. Yes, I've got it protected with .htaccess, but I'm betting that there's probably a way around that...

 

Lastly, you're telling me that I don't need to worry that the entire CC number is stored in the DB, correct?


John Skurka

Share this post


Link to post
Share on other sites

IF you want to not sotre the CC # in the database, use something similar to this

 

in checkout_process.php

 

look for the code:

 

'cc_number' => $order->info['cc_number'],

 

I cant guarantee this will work, BACK UP FIRST. Theoretically the "cc_number" string could be removed and would store an empty string in the DB.

 

I would make other changes as well, I.E. remove your admin folder to outside the web folder, get ZEND Optimizer and encode your configure.php files so they are not readily readable, so on and so on.


Clifton Murphy

Share this post


Link to post
Share on other sites

I dont beleive i EVER said you dont have to worry. There is inherent risk in all that we do, but to be honest. A professional hacker has easier ways than hacking into a DB to get at CC numbers. Starting with finding an open port on your server (which isnt hard) and installing various programs which are to numberous to mention here. All designed to glean any and all information he wants, Just like locks keep honest men out, passwords only keep newbs out.

 

If doing business on the internet were risk free, SSL sellers would not offer insurence.

 

So to answer your question, yes you should worry, and take all neccessary precautions short of becoming a paranoid freak who only ever thinks about who is trying to get him.

 

If life gets to this point, its time to quit and get a regular job and stop trying to make it big on the net. But then again, if you do that, you will have to watch who works with you, they could steal from the till and blame you!

 

It all boils down to this, how big of a target are you? Every hacker i ever heard about was trying to get something that might make him getting pinched worth it, is your site worth it, or in fact is your site exactly the same or smaller than 40 million other sites? There is a trade off between security and cost effectiveness, thats why your all using FREEWARE! Your server or hosting company has more to do with your security than you do with your linkpoint files and .HTACCESS files! Ask them when the last time they paid someone to do a security audit was.

 

Ya take precautions, everyone you can. But relax and take a vacation, cause whats it worth owning your own business if you cant enjoy it.


Clifton Murphy

Share this post


Link to post
Share on other sites

Clifton:

 

I understand the security risks with doing business on the internet - thanks for your thoughts.

 

However, you didn't answer the initial question: Why is it that some folks that are using your LinkPoint Contrib (kepa) only store the first and last in the DB, and the e-mail submits the middle 8? This is the way I would prefer it to work. That way I still have the entire CC number, it's just not all in one place.

 

One other question: When the customer encounters an error (i.e. card is declined) is the error message supposed to be displayed somewhere? All I see is that it is appended to the URL, but it doesn't appear on the screen any where. A popup message box or some big text in red letters would be ideal. Right now, it just takes you back to the Payment selection page (and unless you happen to look up in the address box, you don't know that you received an error.)

 

Thanks for the Contribution - your efforts are greatly appreciated!


John Skurka

Share this post


Link to post
Share on other sites
The DB is secure, really? The PW is in a file! Doesn't seem secure to me. Yes, I've got it protected with .htaccess, but I'm betting that there's probably a way around that...

 

Dont forget that you also need a SSL certificate for this to work, and I think that was part of saying that the DB is secure ;)

 

 

I have one question that has been bugging me. I thought the idea of 3rd party payment gateway was that they took the hassle out of handling credit card transactions. For instance with worldpay, 2 checkout and a few others. The customer is passed to the payment gateways own server and all the checking and validation carried out, then passed back either successfull or failed. We didnt want to go down the route of having the CC nos stored and having to have a SSL certificate, hence why we went for a third party processor. Now we have found out we still need the SSL and we still store the numbers, its a pain in the backside!! Does anyone know if they have plans to bring out a 3rd party processing service on their own servers?


Feel free to ask me for help

beep... beep....My Pager

Share this post


Link to post
Share on other sites
It operates as designed. The database is secure and therefore stores the entire number. Would you rather it not?

 

If you dont store the entire number in the database you would not be able to checkout as the cashiering process happens after the data is stored in the database. If we didnt store the number, there would be no data to send to linkpoint.

Thanks Clifton, makes sense. Right, the database is secure. The weakest link for us is osC admin (Sales staff has access), which also displays full cc info. We'd have better security if the full cc number was not displayed there, but was still in the database. Any pointers how I can tweak cc_number display (e.g. no middle digits)?


"Buy the ticket, take the ride..." -HST

Share this post


Link to post
Share on other sites

Is there any why to add OSC order number to linkpoints data to improve cross-referencing?

 

I require the email sent from linkpoint to include the OSC order number and I would also like the OSC number to appear at linkpoint Central.

 

I see the XML sends "oid" but all it sends is 'Set_Auto_By_Linkpoint'

 

could that be changed to OSC order number?? and if so will it be appear on the email.

 

Thanks for any help...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×