Remove CC Info

I'm no longer going to store any credit card info for any order status. How can I remove the CC info for all past orders without clicking each one individually? Can this be done in the admin, or is there a SQL query that can be run?

2.2.3 Pro

Orders>View Orders>Select All> At bottom of page, “Choose Action” & “Remove CC Info” (You can remove CC Info for up to 100 orders at a time) ;)

[quote]I’m no longer going to store any credit card info for any order status[/quote] Btw, Good choice

I have almost 40,000 orders. Some of the declined, failed, and open orders may still have CC info stored. I'd have to go through 400 pages at 100 orders per page. Is there a way to just clear all the CC info at once?

Unfortunately, the credit card numbers are encrypted and stored in the order_data table related to an order_id.

You might try the following (untested with no guarantees - but should be close). Be sure to change 'LIMIT_TO' to zero after you've verified that running it on one order works as expected.


/* Put in root of store or addons/my_changes. Must be able to execute scripts from whatever
* directory you put this in.
define('AREA', 'A');
define('AREA_NAME', 'admin');
if( !file_exists('./prepare.php') )

define("UPDATE_DB", false);

function my_mask_cc($order_id) {
$dat = db_get_field("SELECT data from ?:order_data WHERE order_id=?i and type='P'", $order_id);
if( $dat ) {
$pay_info = @unserialize(fn_decrypt_text($dat));
if( $pay_info && !empty($pay_info['card_number']) ) {
$s = $pay_info['card_number'];
$pay_info['card_number'] = substr_replace($s, str_repeat('X', strlen($s) - 4), 0, strlen($s) - 4);
$pay_info['expiry_month'] = 'XX';
$pay_info['expiry_year'] = 'XX';
if( !empty($pay_info['cvv2']) ) {
$s = $pay_info['cvv2'];
$pay_info['cvv2'] = substr_replace($s, str_repeat('X', strlen($s)), 0, strlen($s));
$pay_info['cc_info_removed'] = date("Y-m-d H:i:s");
db_query("UPDATE ?order_data SET data=?s WHERE order_id=?i AND type='P'", fn_encrypt_text(serialize($pay_info)), $order_id);
echo "Zapped cc info for order_id '$order_id'
return true;
return false;

echo "
define('LIMIT_TO', 1);
$cnt = 1;
foreach(db_get_fields("SELECT order_id FROM ?:orders") as $order_dat) {
if( my_mask_cc($order_dat['order_id']) && LIMIT_TO && $cnt++ >= LIMIT_TO )
echo "


Nice work Tony, not a simple task to say the least! ;)

I've done the pieces so many times (other than the masking of the number) that it was pretty much a no-brainer. When one deals with external order management daily, getting data in and out becomes almost second nature (until they change something). However, I don't want to zap any cc info on my system, so it's basically untested. Hence them might be a syntax error along the way, but the logic should prevail.

Note that if you set a language variable for 'cc_info_removed' then the date/time it was zapped will show on each order.

Why not a simple db query?

UPDATE `cscart_users` SET `card_name` = '',
`card_type` = '',
`card_number` = '',
`card_expire` = '',
`card_cvv2` = '';

I think that will remove the primary credit card only in the user's profile (I don't even know if that's used any more). I don't think it will get the alternate cards that can be kept in a user's other (alternate) profiles.

It also will not remove any of the credit card info in the orders… I thought this is what John wanted to do versus removing CC info that user's may have stored.

I couldn't tell ya. I have never stored CC info and I do not know where else CC info would be stored.

This whole functionality seems to be missing is CS Cart 3.0.1 professional. Did anyone figure out how allow the credit card to show in the admin for offline orders?

There is a post from cs-cart that states that credit card information is not being stored due to PCI compliance. It's missing on purpose.

Read this for explanation.



Hi Bob,

Thanks for pointing me to that. I haven't poked around the code, but it should be pretty simple to comment out the function that removes the cc data, no? Anybody do this?

So I had the same issue. We don't want to pay someone to process our payments or have an extra step since we have the ability to do it ourselves.

We generally delete the cards after a purchase to try to adhere to the PCI compliance as best we can. However that doesn't seem like a possibility at the moment either. I guess another problem for another time.

In case anyone else wants to do it



if (!empty($info['cvv2'])) {
$info['cvv2'] = 'XXX';
if (!empty($info['card_number'])) {
$info['card_number'] = substr_replace($info['card_number'], str_repeat('X', strlen($info['card_number']) - 4), 0, strlen($info['card_number']) - 4);
foreach (array('start_month', 'start_year', 'expiry_month', 'expiry_year') as $v) {
if (!empty($info[$v])) {
$info[$v] = 'XX';

Delete or comment out that block