Subscription Add on Module

[dbltoe]

You might be able to find some commercial mod that uses PayPal but watch out using Credit Cards if in the U.S. You could be violating PCI requirements.

[carlwhat]

You might be able to find some commercial mod that uses PayPal but watch out using Credit Cards if in the U.S. You could be violating PCI requirements.

this is a statement, that while not inherently false, i find completely misleading.

PCI requirements are for any entity that processes credit cards. from their site:

"The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards...."

the EU has, for years, been far ahead of the US when it comes to credit card security. the idea implied in the above statement, that you could be violating PCI if in the US, but not elsewhere, is simply false...

this payment module allows for the secure storage of credit cards on the authorize.net gateway:

https://www.zen-cart.com/downloads.php?do=file&id=2272

adding a subscription element to this module, is no doubt possible, but not included in the base implementation.

best.

[dbltoe]

PCI requirements are for any entity that processes credit cards. from their site:

"The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards...."

the EU has, for years, been far ahead of the US when it comes to credit card security. the idea implied in the above statement, that you could be violating PCI if in the US, but not elsewhere, is simply false...

this payment module allows for the secure storage of credit cards on the authorize.net gateway:

https://www.zen-cart.com/downloads.php?do=file&id=2272

adding a subscription element to this module, is no doubt possible, but not included in the base implementation.

best.

Actually, yours is a statement, that while not inherently false, I find completely misleading. Especially when you "put words in my mouth."

The very fact that the rest of the world may be doing a better job of PCI does not negate the fact that anyone wanting to mess with this sort of thing MUST be aware of SAD, EMV, CVV, etc; Rules 3.1-3.6 of PCI standards, and (most importantly) what is going on at their server. It is more prevalent in the US as most hosting companies don't seem to care and the merchant accounts seem to get kickbacks from the folks who offer to "fix" your problem.

The suggestion of doing a "fix it and forget it" with Zen Cart is misleading without the warning that there is still danger out there in PCI land. No matter what you do with Zen Cart (The only one I know to ever be PCI certified BTW) there still lies the problem with the server the site is sitting on or the server that is going to store the PAN and PAN-related items. There are some major hosting companies out there who do not meet PCI standards in any way whatsoever. Just go to ssllabs.com/ssltest and enter a major host. Maybe WentUncle.com They support protocols TLS 1.0 and 1.1 which were deprecated thirty months ago.

[DrByte]

the server that is going to store the PAN and PAN-related items

The OP didn't say they were planning to collect and store card numbers. In fact they specifically said they intend to use PayPal to handle it.

So, while @dbltoe is correct that collecting cards and storing them on your own server is dangerous,
so also @carlwhat is correct in pointing out that it is reasonable to trust a properly certified payment gateway that is compliant with all standards.

Both of you have taken this discussion entirely off topic.