View entire CC# in Admin?

[ckad79]

This has been asked a few times, I believe, but nobody seems to have an answer.

My client does not want to pay for a processor, instead she wants customers to put in their CC# and then she will manually process it herself (with her CC machine) and mark the order PROCESSED herself once the charge goes through.

This is not smart. It's stupid and dangerous... I know that.

BUT it's what she wants because she does not want to pay processing fees.

I have set up her payment module as credit card (cc). Just a standard setup. BUT new orders, in admin, are XXXX for certain numbers.

I know processors hide this information for protection but she does not have a processor and needs to see it. Can this be done?

I just noticed this problem looking at admin, seconds ago.

I know this is a security issue, but I've used Cs-Cart before and they post the whole CC# because sometimes the card fails and I'll charge it again without having to call the customer back to get the card.

[stevesh]

No. The numbers that are XX'd out in admin are sent to you in an email when the order is confirmed.

It looks like you have a good handle on how horribly insecure this method is, and I'm sure you've tried to educate your client.

I'm not sure if site designers would have any legal responsibility if something went wrong, but I wouldn't work on a site like this, nor would I buy from one.

[scott_see]

Okay, I'm sure this is a stupid question, but...

If part of the credit card number is emailed, and the other part of the credit card number is viewable in /admin/, that sounds pretty secure to me. What am I missing?

Thanks,

[stevesh]

My issue with manual credit card processing from a website is that the owners/operators of that site, and their employees, and their kids, if they work from home, and their kid's friends, and the office cleaning people, and any passer-by who wanted to scrounge through their trash, if they don't shred the scrap paper they wrote my CC info on, could end up with my card number and expiration date.

Unprofessional, in my opinion. Yes, I know the card I gave the restaurant server was out of my sight for 5 minutes, and could have been copied multiple times. The difference is that, unless I want to wait and pay on the way out, the restaurant doesn't really have any options, save installing CC readers at every table.

Internet merchants do have options - proper online payment processing is cheap, considering you're laying off almost all of the risk.

[Merlinpa1969]

Ask your client if they are willing to pay the settlements that their clients will win if their database is compromised.

the gateway fee is a part of business,
if they dont want to pay this fee I would suggest that they only use paypal ( wait theres a fee for that ) or checks and money orders


I realize this sounds harsh, but part of your job as the developer is to educate the client....
the old adage that the customer is always right, dosnt apply to all industries, and this is one of those times.....

[schoolboy]

We'd decline any project that stipulated full CC numbers need to be captured. One tiny security slip, and you're in line for a joint liability suit from the bank involved. If you have unlimited cash (like a recent Euromillions win) steer clear of doing this!

[scott_see]

My issue with manual credit card processing from a website is that the owners/operators of that site, and their employees, and their kids, if they work from home, and their kid's friends, and the office cleaning people, and any passer-by who wanted to scrounge through their trash, if they don't shred the scrap paper they wrote my CC info on, could end up with my card number and expiration date.

Unprofessional, in my opinion. Yes, I know the card I gave the restaurant server was out of my sight for 5 minutes, and could have been copied multiple times. The difference is that, unless I want to wait and pay on the way out, the restaurant doesn't really have any options, save installing CC readers at every table.

Internet merchants do have options - proper online payment processing is cheap, considering you're laying off almost all of the risk.

Good points. I'll be sure to talk with them about this. I'll advise them not to print out the email with the missing credit card numbers. No need to, really.

[schoolboy]

Is your client aware of PCI compliance?

[scott_see]

Is your client aware of PCI compliance?

They're a small retailer. I'm sure they know you're not supposed to give other people's credit card info to strangers, but I'm sure if you posed your question to them, you'd get a blank look. Don't forget, they're a small retailer. We're not talking about a Fortune 500 corporation. They've been accepting credit cards for nearly a decade, and they're still in business.

[stevesh]

You might also want to find out what their current CC merchant account provider thinks of them manually entering Internet transactions. I've never seen one who allows it without changing to a different type of account. If it isn't allowed, and they get caught, they could lose the account they have.