CVV2 Info Being Stored

Hi Guys,



As far as I know, it is illegal to store the CVV info of a credit card, or to even write it down on paper. Not that this doesn’t prevent it from happening, but my concern is that CS-cart is storing the full card number, Exp Date, and CVV2 number in the database.



Hacking happens, and if someone were to get in, and have access to all that info, I could potentially get in trouble for storing the CVV number.



I used to use Zen cart, and they offered a link to delete the CVV from the database, after the order was complete (if i manually processed cards)



Does anyone know of a way to do the same thing in CS-Cart?



Another thing that zen cart offered, was to email the admin the middle digits of the credit card, so that there was never a full card number stored on the database.



I’d appreciate any advice or suggestions that the community would be willing to give. Thanks!

First, in Order Statuses, make sure that the “Remove CC info” checkbox is checked for the “C” (Completed) status and any other statuses where you want the CC info automatically removed.



For existing completed orders, you can search for all orders with a status of “Completed” in View Orders. Then place a check in the first column and hist the “Remove CC Info” button. Repeat for any other statuses, as needed.



Bob

Which version of CS-Cart are you using?



I am using 1.3.5 and it blocks out the cvv2 numbers once I ship the orders and mark them as such.

[quote name=‘clips’]Which version of CS-Cart are you using?



I am using 1.3.5 and it blocks out the cvv2 numbers once I ship the orders and mark them as such.[/QUOTE]



This is because the “Remove CC info” checkbox is checked for status “C” in your order statuses.



Bob

[quote name=‘jobosales’]This is because the “Remove CC info” checkbox is checked for status “C” in your order statuses.



Bob[/QUOTE]



It looks like you and I posted about the same time.



Yes, the new feature that deletes credit card information is excellent. It was one of the big flaws in earlier releases as in the US we can get in trouble if we keep info on a server for too long. I ended up liking the solution that CS came up with better.

Wow, illegal to store it or even write it down…?

Not a comment to question the statement or author, just general concern as I have chosen to keep the cc info available as we inevitably need to process refunds.

[quote name=‘fenwick’]Wow, illegal to store it or even write it down…?

Not a comment to question the statement or author, just general concern as I have chosen to keep the cc info available as we inevitably need to process refunds.[/QUOTE]



We use authorize.net and do not need to know the customers full credit card to give a refund. All we need is the original transaction number.



I should also mention that if I need to give a customer a credit I’m sure they would be more than happy to give me the number again. Most would like the fact that we are very careful with their private information.



In the US if your site is hacked and you have credit card information on your server/website that is more than 30 days old, you may be held to criminal charges or the credit card company may do something. I really can’t remember what happens, all I know is I signed an agreement to say I would not “store” credit card numbers over a certain amount of time. They do this to protect the consumer and the merchant.



Since most of us are smaller merchants we don’t have to get PCI scans, but I’m not for sure who wouldn’t want to be “PCI Compliant” and very cautious about their customers credit card information. I would rather make the phone call to get a credit card to be able to process a refund than a phone call telling them their credit card information was stolen.