Situation: A credit card transaction fraud prevention is asking for the first six numbers of a customer's credit card information to interact with their API to determine a fraud score.
Problem: I cannot obtain or ascertain the credit card number as the number isn't responding to any attempt of being captured. For example, in orders.php there is the following line:
Code:
// Sanitize cc-num if present, using maximum 10 chars, with middle chars stripped out with XX if (strlen($this->info['cc_number']) > 10) {
$cEnd = substr($this->info['cc_number'], -4);
$cOffset = strlen($this->info['cc_number']) -4;
$cStart = substr($this->info['cc_number'], 0, ($cOffset > 4 ? 4 : (int)$cOffset));
$this->info['cc_number'] = str_pad($cStart, 6, 'X') . $cEnd;
};
Now when I try to say catch the first six numbers of $this->info['cc_number'] from orders.php, I get a blank result. Even when I try to capture the whole 'cc_number' and its still blank.
Questions:
- What part of the ZenCart CORE code (if any) actually uses that field (aka $order->info['cc_number']) and what part passes information to it?
- If not the ZenCart code, do the individual credit card modules choose to send the data back to be stored in ZenCart's DB? (For example, I noticed that the Quickbooks Module sends back only the last 4 numbers to be added to the table, however the default AuthorizeNet and Linkpoint modules makes no update to the fields cc_number and etc.) Is this deliberate by design?
- Reading the PCI-DSS guideline (specifically Guidance Notes 3.4 and PCI-DSS Requirement 3.3), I can see that it is okay to store only the last four and first six numbers in such a way that the full card number CANNOT be recreated. (Truncation of the number is okay.) (Quote from the PCI-DSS Requirement: "The intent of truncation is that only a portion (not to exceed the first six and last four digits) of the PAN is stored.") So may I modify the coding to accomplish this? (Assuming that I do not modify the code beyond the point to where it violates these rules.)
Full PCI-DSS from here: https://www.pcisecuritystandards.org...PCI_DSS_v3.pdf
Bookmarks