Results 1 to 3 of 3
  1. #1
    Join Date
    Jun 2007
    Location
    Bronx, New York, United States
    Posts
    521
    Plugin Contributions
    3

    Default Obtaining a credit card's bin number

    Situation: A credit card transaction fraud prevention is asking for the first six numbers of a customer's credit card information to interact with their API to determine a fraud score.

    Problem: I cannot obtain or ascertain the credit card number as the number isn't responding to any attempt of being captured. For example, in orders.php there is the following line:

    Code:
        // Sanitize cc-num if present, using maximum 10 chars, with middle chars stripped out with XX    if (strlen($this->info['cc_number']) > 10) {
          $cEnd = substr($this->info['cc_number'], -4);
          $cOffset = strlen($this->info['cc_number']) -4;
          $cStart = substr($this->info['cc_number'], 0, ($cOffset > 4 ? 4 : (int)$cOffset));
          $this->info['cc_number'] = str_pad($cStart, 6, 'X') . $cEnd;
        };
    Now when I try to say catch the first six numbers of $this->info['cc_number'] from orders.php, I get a blank result. Even when I try to capture the whole 'cc_number' and its still blank.

    Questions:
    1. What part of the ZenCart CORE code (if any) actually uses that field (aka $order->info['cc_number']) and what part passes information to it?
    2. If not the ZenCart code, do the individual credit card modules choose to send the data back to be stored in ZenCart's DB? (For example, I noticed that the Quickbooks Module sends back only the last 4 numbers to be added to the table, however the default AuthorizeNet and Linkpoint modules makes no update to the fields cc_number and etc.) Is this deliberate by design?
    3. Reading the PCI-DSS guideline (specifically Guidance Notes 3.4 and PCI-DSS Requirement 3.3), I can see that it is okay to store only the last four and first six numbers in such a way that the full card number CANNOT be recreated. (Truncation of the number is okay.) (Quote from the PCI-DSS Requirement: "The intent of truncation is that only a portion (not to exceed the first six and last four digits) of the PAN is stored.") So may I modify the coding to accomplish this? (Assuming that I do not modify the code beyond the point to where it violates these rules.)

    Full PCI-DSS from here: https://www.pcisecuritystandards.org...PCI_DSS_v3.pdf
    Last edited by retched; 28 Jul 2014 at 05:14 PM.

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Obtaining a credit card's bin number

    It depends where and when you're doing the inquiry, and whether the payment module you're using even collects any card digits at all. For example, if your payment module is processing cards on the gateway's website ('offsite processing') then your store will never know ANY of the digits of the card.
    If however your module collects the number and transmits it for processing, then that payment module's before_process() method will have access to the card digits during the time it does the processing, and may pass it back to the $order object's info['cc_number'] array element.

    If it's coming up blank, then I'm guessing your payment module never sets it ... probably because it never knows about it.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Jun 2007
    Location
    Bronx, New York, United States
    Posts
    521
    Plugin Contributions
    3

    Default Re: Obtaining a credit card's bin number

    Quote Originally Posted by DrByte View Post
    It depends where and when you're doing the inquiry, and whether the payment module you're using even collects any card digits at all. For example, if your payment module is processing cards on the gateway's website ('offsite processing') then your store will never know ANY of the digits of the card.
    If however your module collects the number and transmits it for processing, then that payment module's before_process() method will have access to the card digits during the time it does the processing, and may pass it back to the $order object's info['cc_number'] array element.

    If it's coming up blank, then I'm guessing your payment module never sets it ... probably because it never knows about it.
    Or in my hasteful case I didn't realize I was looking at lines of "moneyorder" modules which do not use any of the CC's. Essentially I figured it out and I ended up mashing up my code a bit. (Learned a bit about the QBMS module in the process.) This just means that I can't make a "one-shot, fits all" solution and will likely just end up skipping this bit when its ready for distribution.

 

 

Similar Threads

  1. Replies: 5
    Last Post: 29 Nov 2010, 06:28 AM
  2. ALWAYS: The credit card number entered is invalid. Please check the number...
    By smoochinc in forum Built-in Shipping and Payment Modules
    Replies: 9
    Last Post: 14 Dec 2007, 10:15 PM
  3. Credit Card Number emailed
    By Museum in forum Addon Payment Modules
    Replies: 8
    Last Post: 10 Jun 2006, 05:49 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR