Payleap

[niccol]

If you are using Zen Cart and Payleap then you should be aware that the module which is available in the download section stores the entire credit card details to the database.

You probably do not want to be doing that as it is a major security risk.

First thing to do will be to contact Payleap. You'll be told it isn't really their problem even though they provided the module. Second thing to do is have a think about that response and see if you like it much. Make your own decisions......

I altered Zen to accommodate this and prevent the module writing this information to database so if anybody wants that hack then be in touch.

[kobra]

I would think about reporting Payleap and their script to PCI/DSS

As you know this is a serious breach of the standard

[niccol]

Well, the post was a very brief precis of a long discussion. Which I am happy to discuss at length but ends up sounding like a outright rant -- because it is.

It resolves around whether the module is their responsibility. It is authored by one of their employees, was uploaded by a user with one of their email addresses, and was actually emailed to me by one of their employees. but apparently has nothing to do with them and they will not take responsibility for it.

In one of their emails they explained to my client that it couldn't be anything to do with them because ' they are not programmers'. This is a payment company and they think it is a good idea to explain that they would not be competent to write a few hundred lines of code?????? And that is their defence?

Nick

[kobra]

So long as you know , caught and corrected this so that you are not the offender

Woe to the others that have not determined this

[niccol]

Well, I will never be touching Payleap again after this experience. (and more) but each user should make their own decisions :-)