[djhosken]

Hi, I have downloade V3.01 of the Ultimate Edition. Great software, I am VERY impressed! The code is aslo great, have been spending last couple of days working with it, and code is very well written and consistent!

I installed the credit card payment method. When I do a test order, and enter credit card details, they are not shown on order details page in admin panel. Many fields of cc details are replaced with x's. For example:
Card number: XXXXXXXXXXXX8992

I am logged in a administrator. I have SSL enabled on checkout page, and admin panel. I have cleared cache (..../admin.php?cc). Don't know what else to do?? Please help.

[brandonvd]

This is something that CS-Cart decided to do. There were some posts about it a while back, but I haven't searched for them.

If you plan on running your credit cards manually, you'll need to have some changes done to the code. I have no idea what changes, but I'm sure tbirnseth or alt-team could help.

Thanks,

Brandon

[pbannette]

There are some other posts on this subject. I believe in one of them, the code to make the credit card information available was posted. I tried searching, but I can never find what I want with the search. It was posted withing the last month. A bug report was also posted on this subject. Turns out it is not a bug, but designed this way in the new versions.
Bob

[djhosken]

Just got a reply from CS-Cart Help Desk. They disabled this function, and if you want it to work, you have to pay them to do it. Their reply:

Quote

The ability to view a credit card number cannot be added within our technical support service. So I can only suggest you considering our custom development service to have the ability to store credit card info implemented on a paid basis.

This is very dissapointing, seeing that it is a payment method they mention in their Knowledge Base, and "manual credit card payment module" is also mentioned on the features page (www.cs-cart.com/payment-gateways.html). I just recently bought the Ultimate edition, and not happy getting a reply that I have to pay to get them enable.

If anyone knows how to enable it, please could you share the code.

[parodius420]

Well, personally I think its a good idea. I wouldnt want a small website, or anyone really for that matter to have my full credit card number.

[brandonvd]

While I do agree with you, I do know that some people have cc machines in their office and process credit cards manually. While this isn't the best for security, that is how they run their business and it should be their choice of how they accept credit cards.

By the way, you ever order anything over the phone or eat at a restaurant? You do an order over the phone, that person has all of your info. You go out to eat, the waiter walks off with your cc, they also have your info.

Trust me, your cc number isn't secure no matter what you do. You can try, but there is always a chance. Personally, I use my debit card. Sure, the fraud is still a possibility, but since my account is always super low, there is only so much a person can get. Can't suck blood from a turnip I guess.

Anyways, it should be up to the business owner to be responsible, not for the cart to force this stuff.

Just my thoughts I guess.

Thanks,

Brandon

[Struck]

I can understand all of the above points of view, however, I believe a critical point to remember is that any specific customer credit card details saved within an online shopping cart system database is at a far higher risk of being compromised vs. a well managed business internal storage system with security measures in place. Afterall, there are 40 Million hackers continuosly attempting to gain access to your Mysql database around the clock, and they are at times successful at compromising some very large institutions.

I will not store any of our customers credit card details in our online sites databases, and for only a very select few customers will we store there details internally, helps me to sleep at night knowing we are doing what is best for our customers, even if they don't fully believe so.

[brandonvd]

Struck,

I agree. I personally don't want to be responsible for my customer's cc numbers either. I don't use the manual method and I don't endorse it, but if it is going to be an option in the cart, then it should be up to the store owner to decide if they want to use it or not.

Thanks,

Brandon

[Struck]

Yeah, it is a rather complicated situation overall, I believe PCI Compliance is the driving force behind this change in 3.0.1 and If I were an ecomm software developer, not sure how I would handle this situation either. One of the questions I often wonder is how businesses that use recurring billing can continue to do so without continuously storing credit card details, unless you have a credit card processor that stores these card details on their end, or perhaps it will require photographic memories?

[JesseLeeStringer]

You will find that ultimately the business owners will decide how to do business.

I have already deferred the purchase of two licenses due to this 'functionality' as I can no longer take pre-orders without charging the full amount of product. My intentions were to store/print/wipe for customer orders to be fulfilled when I receive inventory (and charged).

J.

[Struck]

Quote

You will find that ultimately the business owners will decide how to do business.

Absolutely,

CS-Cart needs to put some more thought into this. Especially in B2B commerce there will always be those business owners which will need to make partiall upfront charges to cover "made to order" or special order items and then perform the final charge when the goods are ready for shipment. Not having this option could certainly be a dealbreaker in many situations.

Perhaps CS-Cart should leave the ability to temporarily store card details as an option and simply provide clarification that your store may no longer meet PCI Compliance if you choose to store these details.

[luster]

hmm, just found the hard way this is a 'feature' on my store too, very dissapointing

[luster]

Technocrat, on 16 July 2012 - 10:50 PM, said:

So I had the same issue. We don't want to pay someone to process our payments or have an extra step since we have the ability to do it ourselves.

We generally delete the cards after a purchase to try to adhere to the PCI compliance as best we can. However that doesn't seem like a possibility at the moment either. I guess another problem for another time.

In case anyone else wants to do it

/core/fn.cart.php

Find:

if (!empty($info['cvv2'])) {
  $info['cvv2'] = 'XXX';
}
if (!empty($info['card_number'])) {
  $info['card_number'] = substr_replace($info['card_number'], str_repeat('X', strlen($info['card_number']) - 4), 0, strlen($info['card_number']) - 4);
}
foreach (array('start_month', 'start_year', 'expiry_month', 'expiry_year') as $v) {
  if (!empty($info[$v])) {
   $info[$v] = 'XX';
  }
}

Delete or comment out that block

Working perfectly again now

[The Tool]

luster, on 31 July 2012 - 12:50 PM, said:

Working perfectly again now

Just a note to the public, I have noticed that they have removed the credit card fields in the database of at least 3.0.2 and I have no idea if they are being removed during the upgrade process. So some users may have more trouble than just commenting the above code.

[luster]

I can confirm the above code change still works in 3.0.2

[CutRiteFX]

Wow, we use Intuit to process offline credit card payments and upgraded the store over the weekend and I get up this morning to process the orders for the weekend only to find out. I now have to contact my customers to complete orders. Wish I had known this. Whats the point of having an offline process payment option in the store if I can not process it

[JesseLeeStringer]

CutRiteFX, on 13 August 2012 - 01:32 PM, said:

Whats the point of having an offline process payment option in the store if I can not process it

Please be a politician and not a developer - PLEASE!

[kogi]

*facepalm* . They will probably remove offline process payment altogether

[lccoins]

Cs-Cart is offering to charge us $275 to restore the offline payment functionality. This whole thing really sounds like a bait and switch- they take away a standard feature they've had along without warning anyone, then they can charge us to restore the feature.

I've done the commented out the code as explained above, so we're able to read credit card numbers and process orders. The problem is that they don't get deleted when we change the order status as they used to. So it looks like we'll be forced to pay CS-Cart to restore that security feature.

[clips]

My guess is they are probably trying to be more PCI compliant.