I get quite a few customers who want to ammend their order after the fact. So with 3.04 I could store the CC info while the order is open and delete it when the order is closed. I like this in theory, but how secure is the data?
If a customers account is hacked, can it be accessed, or would it have to be an admin account?
Is it stored encrypted in the database?
The credit-card data is salted in the database however the encryption key is viewable in plain-text in the config.local.php.
If customers amend their order after taking the initial purchase then it might be worthwhile that you request their card details again.
See here about PCI-DSS. It's not worth the hassle storing the card details, if you do so without applying and receiving PCI-DSS certification, most merchant banks will kick you into touch. Definitely true as far as the UK goes, as I recently helped a friend sort this out after doing the exact same thing and finding the same consequence. Couldn't find a single merchant bank who would offer a new merchant account with his current plans of keeping all the card details to process upon despatch. Ironically, it's these same banks that offer ecommerce guidance rule #1: don't charge the customer until the goods are being despatched. If you like banging your head against a brick wall, just ask your merchant bank for advice.
I stopped using the manual credit card method a couple of versions ago. Found that is not worth it. I use off line payments including PayPal, Amazon (if I ever get it working again) and Credit cards using Cresecure with PayLeap.
I rarely have to adjust orders, but if I have to, I go directly to the PayLeap interface and give the customer a refund or charge for the additional amount, if necessary. Don't need to know the credit card number to do this.
I am still forced to do a periodic Scan of the site, but the PCI compliance questionnaire I do is simplified since I don't store or transmit CC info directly from the cart.
Bob
[quote name='pbannette' timestamp='1353763084' post='149841']
I stopped using the manual credit card method a couple of versions ago. Found that is not worth it. I use off line payments including PayPal, Amazon (if I ever get it working again) and Credit cards using Cresecure with PayLeap.
I rarely have to adjust orders, but if I have to, I go directly to the PayLeap interface and give the customer a refund or charge for the additional amount, if necessary. Don't need to know the credit card number to do this.
I am still forced to do a periodic Scan of the site, but the PCI compliance questionnaire I do is simplified since I don't store or transmit CC info directly from the cart.
Bob
[/quote]
You can utilize a payment processor and still see the cc details (FYI) - Just want people to be aware of that in case they unwittingly leave the card details there.
My understanding of the crc on the back was that that should never be stored which on virtuamart people did want a hack for. When I looked into it if someone hack your system and then bough items with the details and it was found out the information came from you then you could be liable for the bill. I was worried someone might buy a Mercedes Benz so ditched the idea. Not worth it.
The hack on virtuamart at the time was to send the crc via email separately along with the last 4 digits. the crc was never stored.
I just do paypal now.
JesseLee,
Where do I check to see if any cc info is left on server?
I use cresecure, which uses a hosted payment page. Customers are entering the cc info directly on the hosted page at cresecure, then the info is transmitted from the PCI compliant cresecure server to Payleap.
If somehow, cc info is on the cs-cart server somewhere, I would consider this a bug. Not as advertised.
Is there a place to see if any cc card info is stored on the cs-cart store server?
Thank you,
Bob
As CRE secure provide a hosted page, creditcard info isn't flowing through your store - simply pricing variables out and payment confirmation in. For this reason most of the responsibility for PCI rests on CRE Secure.
Authorize.net and similar gateways, (where the customer does not leave the checkout page) will provide 'payment accepted' notices to the store but CS-Cart handles the exchange. You can see this by reviewing Administration → Logs.
Being PCI-Compliant comes down to the banking vendor, the total amount of transactions per year and the security level of the organization. I won't go into my client's best-practices however consider the following to be 'generic' information.
If you are a 'Level 4' merchant - You need to bend to the will of the PCI requirements without a second thought - This is not a drill.
If you are a 'Level 3' merchant - Depending on the acquiring bank, you are generally provided with an in-depth questionnaire that requires your business to provide both virtual and physical security mechanisms. This can be as simple as encryption on the machine storing credit-card data (typical) to who has the keys to the building or server room at what times to the physical construction of the door (not usually, but I've seen it once questioning if it was solid or fiberboard).
I cannot comment on 'Level 1' or 'Level 2' however stores of this size would have outgrown CS-Cart by the time they meeting the minimum values to move up a level.
Overall - If you have 'knowledgable' and 'trustworthy' people working towards the companies 'best-interests' and those of the PCI industry you'll have less trouble than say a Mom'n'Pop running an old version of virtumart. The PCI compliance industry was more or less created to combat credit-card fraud that was running rampant by novices opening up new ecommerce stores using free-to-industry software installations and not maintaining them.
You'll notice that the acquiring bank gets hit with fines, rather than the merchant directly (store owner) so banks now have to work in their best interests by questioning the expertise behind the website and it's operator.
tl;dr - You can store credit-card data, so long as you know what you are doing.