credit card module always sends middle digits.

the credit card module always sends the middle digits to whatever email address is defined as the administrators address.
i thought its only suposed to do that if an email address is defined in split cc box.
so if you dont put anything in that box,
you get an error message for every order sent to the admins email complaining that no email address was entered for the split cc (middle) to go to and thus, the transaction will be not be able to process.
however, as i have enabled "store cc number" then the admin can see the cc number and process it, then click mask. zencart claims this is a security risk.
that seems secure enough for me...but this configuration yeilds the annoying error emails, and in the error emails they send the middle digits.
personally, i think storing the middle digits of everyones credit card in my yahoo email address account doesnt seem that safe. after you press mask, the information is gone from the database, and anywhere else. that seems the safest. but then i have to go delete all those emails....

someone set me straight here...

the number is split so that the entire number is NOT stored in the database,
you also need the CVV which has to be emailed as its NOT legal to store this number inthe DB under any circumstances.

and the middle numbers are worthless,

the first 4 are card type and the last 4 are the identifiers.

well the cvv is stored in the db in an encrypted format.

it just seems too tedious to have to check 2 places for each order to get the number.
is this really how everyone does it?
what if they have hundreds of orders a day?

I am also experiencing this problem. We are using rsa encryption which I feel is secure. However, if I leave Split Credit Card Email Address field blank I receive error messages with a warning.

What is the appropriate way to stop zencart from sending these error messages?

Thanks!

the way to stop sending the emails is to stop trying to beat the system,

If your getting enough business that its too time consuming to use the split then get a real merchants account and gateway

Every credit card processor I've ever spoken with REQUIRES cc #s to be split. And if someone hacks your Admin, all those orders will NOT be protected anymore. Sending some cc digits to email addys insures a higher level of security, even to the inconvenience of store owners.

To change the ZC way of processing credit card orders is inviting trouble further down the road. Security should be a major concern for all store owners as everyday hackers find more ways to undermine yesterday's security standard.

I completely agree that security is of the utmost importance and I'm not trying to beat the system.

In order to access any of the credit card info on the site, an administrator must upload a 1024 bit encrypted private key. This way, even if somebody hacks the site there is no access to the credit cards.

The user can log in, upload the key, and access credit card number instead of juggling e-mails.

There is nothing wrong with also sending the e-mail, but in this case it is superfluous.

Is this method less secure than splitting up the CC number?

ashain: Not everyone knows how to use the linux private key, not every can use it (share host)
And even with private, if the hacker can hack into your host server, it doesnt really matter anymore. This practice is REQUIRED by the laws in some areas, and some host may even refuse it (and force you to use merchant account)

Did I miss something here? When did emails become a secure place to expose CC #s? I was aghast when I saw this!

to make a long story short, we have hughes mail. They have a lot of problems with the middle digits coming through there system, but they are currently trying to fix it, so the emails still need to go through them so they can tell what the system is doing. In the mean time i need those digits. Is there any way i can have those middle digits sent to a second email address also?

Thanks
Casey