Remove CC Info

grayloon · October 18, 2011, 12:00am

I'm no longer going to store any credit card info for any order status. How can I remove the CC info for all past orders without clicking each one individually? Can this be done in the admin, or is there a SQL query that can be run?

2.2.3 Pro

struck · October 18, 2011, 12:00am

Orders>View Orders>Select All> At bottom of page, “Choose Action” & “Remove CC Info” (You can remove CC Info for up to 100 orders at a time)

[quote]I’m no longer going to store any credit card info for any order status[/quote] Btw, Good choice

grayloon · October 19, 2011, 12:00am

I have almost 40,000 orders. Some of the declined, failed, and open orders may still have CC info stored. I'd have to go through 400 pages at 100 orders per page. Is there a way to just clear all the CC info at once?

tbirnseth · October 19, 2011, 12:00am

Unfortunately, the credit card numbers are encrypted and stored in the order_data table related to an order_id.

You might try the following (untested with no guarantees - but should be close). Be sure to change 'LIMIT_TO' to zero after you've verified that running it on one order works as expected.

```php

/* Put in root of store or addons/my_changes. Must be able to execute scripts from whatever
* directory you put this in.
*/
define('AREA', 'A');
define('AREA_NAME', 'admin');
if( !file_exists('./prepare.php') )
chdir('../..');
require_once("./prepare.php");
require_once("./init.php");

define("UPDATE_DB", false);

function my_mask_cc($order_id) {
$dat = db_get_field("SELECT data from ?:order_data WHERE order_id=?i and type='P'", $order_id);
if( $dat ) {
$pay_info = @unserialize(fn_decrypt_text($dat));
if( $pay_info && !empty($pay_info['card_number']) ) {
$s = $pay_info['card_number'];
$pay_info['card_number'] = substr_replace($s, str_repeat('X', strlen($s) - 4), 0, strlen($s) - 4);
$pay_info['expiry_month'] = 'XX';
$pay_info['expiry_year'] = 'XX';
if( !empty($pay_info['cvv2']) ) {
$s = $pay_info['cvv2'];
$pay_info['cvv2'] = substr_replace($s, str_repeat('X', strlen($s)), 0, strlen($s));
}
$pay_info['cc_info_removed'] = date("Y-m-d H:i:s");
db_query("UPDATE ?order_data SET data=?s WHERE order_id=?i AND type='P'", fn_encrypt_text(serialize($pay_info)), $order_id);
echo "Zapped cc info for order_id '$order_id'
";
return true;
}
}
return false;
}

echo "

";

define('LIMIT_TO', 1);

$cnt = 1;

foreach(db_get_fields("SELECT order_id FROM ?:orders") as $order_dat) {

	if( my_mask_cc($order_dat['order_id']) && LIMIT_TO && $cnt++ >= LIMIT_TO )

		break;

}

echo "

";
exit;
?>

```

struck · October 20, 2011, 12:00am

Nice work Tony, not a simple task to say the least!

tbirnseth · October 20, 2011, 12:00am

I've done the pieces so many times (other than the masking of the number) that it was pretty much a no-brainer. When one deals with external order management daily, getting data in and out becomes almost second nature (until they change something). However, I don't want to zap any cc info on my system, so it's basically untested. Hence them might be a syntax error along the way, but the logic should prevail.

Note that if you set a language variable for 'cc_info_removed' then the date/time it was zapped will show on each order.

thetool · October 20, 2011, 12:00am

Why not a simple db query?

UPDATE `cscart_users` SET `card_name` = '', `card_type` = '', `card_number` = '', `card_expire` = '', `card_cvv2` = '';

tbirnseth · October 20, 2011, 12:00am

I think that will remove the primary credit card only in the user's profile (I don't even know if that's used any more). I don't think it will get the alternate cards that can be kept in a user's other (alternate) profiles.

It also will not remove any of the credit card info in the orders… I thought this is what John wanted to do versus removing CC info that user's may have stored.

thetool · October 20, 2011, 12:00am

I couldn't tell ya. I have never stored CC info and I do not know where else CC info would be stored.

idg · July 3, 2012, 12:00am

This whole functionality seems to be missing is CS Cart 3.0.1 professional. Did anyone figure out how allow the credit card to show in the admin for offline orders?

pbannette · July 3, 2012, 12:00am

There is a post from cs-cart that states that credit card information is not being stored due to PCI compliance. It's missing on purpose.

Read this for explanation.

[url=“http://forum.cs-cart.com/tracker/issue-3140-offline-cc-payment-not-working-as-intended/page__gopid__12355#entry12355”]http://forum.cs-cart.com/tracker/issue-3140-offline-cc-payment-not-working-as-intended/page__gopid__12355#entry12355[/url]

Bob

idg · July 4, 2012, 12:00am

Hi Bob,

Thanks for pointing me to that. I haven't poked around the code, but it should be pretty simple to comment out the function that removes the cc data, no? Anybody do this?

technocrat · July 16, 2012, 12:00am

So I had the same issue. We don't want to pay someone to process our payments or have an extra step since we have the ability to do it ourselves.

We generally delete the cards after a purchase to try to adhere to the PCI compliance as best we can. However that doesn't seem like a possibility at the moment either. I guess another problem for another time.

In case anyone else wants to do it

/core/fn.cart.php

Find:

if (!empty($info['cvv2'])) { $info['cvv2'] = 'XXX'; } if (!empty($info['card_number'])) { $info['card_number'] = substr_replace($info['card_number'], str_repeat('X', strlen($info['card_number']) - 4), 0, strlen($info['card_number']) - 4); } foreach (array('start_month', 'start_year', 'expiry_month', 'expiry_year') as $v) { if (!empty($info[$v])) { $info[$v] = 'XX'; } }

Delete or comment out that block