Credit card numbers

[crimsondrac]

Hello,

We operate a website using the Linkpoint module to process CC. However, we use an accounting package called MAS90 to process the orders, print the pick tickets and invoices. MAS90 requires a few fields in it's database to properly process the orders. For Pre-Paid orders, 3 of the fields it requires is CC number, name and exp date. I know it is EXTREMELY taboo to store those CC numbers, but the accounting package requires it. We are currently processing the orders as POs to bypass a few steps, but this is causing extra work for our invoicing dept and they are getting mad.

The accounting package stores it locally and encrypts it so there is no worries there, however, we need to get that number somehow. Is there anyway to get that number from the system (other then setting up the offline CC module)? or setting it up to store that cc info into a secure database?

[Kim]

Does the accounting package have to have a real CC number or would it accept the 4444 XXXX XXXX 1111 format?

[crimsondrac]

Unfortunately, it needs the whole number. We have tried entering partial numbers as well as dummy numbers. It does not like that.

[DrByte]

MAS90 requires a few fields in it's database to properly process the orders. For Pre-Paid orders, 3 of the fields it requires is CC number, name and exp date. I know it is EXTREMELY taboo to store those CC numbers, but the accounting package requires it.

That doesn't make any sense. If the accounting package knows the order is already prepaid, what does it need the CC numbers for? If it's not going to process the card, it doesn't need the card. Sounds rather odd IMO.

[BrianDunn]

Have you contacted your Sage reseller for support on this issue yet? Or have you tried Sage directly at 800-854-3415 (not sure if you have one of their support plans)?

Brian Dunn
HighTower (Sage Reseller)

[crimsondrac]

The accounting package knows it's a prepaid order, but currently, they are setting it up as a PO order. I am not an accountant so I can not go into all the details on why it needs it, but suffice it to say, to get all the books to balance correctly, all the CC orders must show as CC orders, all the check orders, must show like check orders, etc. And, when entering a CC order into MAS90, it requires a CC number to be entered. Like I said, I do not know all the details. Our accounting supervisor just says she needs it.

I have contacted Sage software, at least our reseller/support and any customizations they do cost an arm and a leg. To get an email address field expanded from 30 to 50 characters, they want $3000.00.

I have offered to turn of the automatic processing and turn on the offline credit card module, but this would mean our invoicing department would have to go to 2 places to get the credit card field, then process each order manually through the web POS. THis would be even more work for them.

Come on, I know it is not impossible to ge the credit card number through other modules, so I know it can't be that impossible here. I just do not understand why all the resistance.

[DrByte]

Come on, I know it is not impossible to ge the credit card number through other modules, so I know it can't be that impossible here. I just do not understand why all the resistance.

Resistance? It's actually a flat refusal to publicly display how to transmit entire CC numbers. Not because we want to be difficult, but because it's, well some might say, the law. PCI Compliance. Terms of Service in your merchant account agreement.

Tell me this: Are you asking that we tell you how to store the entire CC number on your server so that you can extract that information for use in your offline accounting package? Sorry, that's not happening. You can do the custom coding yourself, but it will not be posted on the forum. It's a complete violation of PCI rules, and is extremely dangerous to your business. I hope you have a solid insurance policy if you choose to alter the code this way.

Or, do you want it to send the LP CC middle-digits via email so your accounting dept can do the 2-step matchup? They'll still have to match it up, but then they could have the entire real number. I'm still not going to post the "how to" for that publicly, although someone did post the concept not long ago.

[crimsondrac]

I do not even want to store the CC numbers in an online DB. You are right, that would open up a whole can of worms better left closed. Unless there was some way to encrypt it, which is beyond my programming means, I would not want that liability.

I just do not understand what the problem is? I can not be the only merchant in the world that needs that information. I came to these forums for technical help and the most I see being discussed here is design pointers. Most of the really "technical" questions seem to get squelched.

[DrByte]

Okay, how do you envision collecting the information and getting it to your software ... while still not storing the entire CC info on the server anywhere ... and making life acceptably easy for your accounting folks?

[Merlinpa1969]

If the order is prepaid, and is NOT a recurring billing then you are prohibited from keeping those numbers,

there are 2 ways to get this information in one chunk,

1 store it in the DB and have your folks grab it ( still a time consuming process )
2 email the entire number on the invoice ( also NOT going to happen )

you need to
1 turn OFF the feature thats requiring the CC information,
2 Tell your folks to work faster ( its really not that much work to match the order ( which they are going to have to look at anyway to verify it ) and the middle digit emails,

3. get accounting software that dosnt require all this extra un needed information,



The technical questions get answered all the time,
just not the ones that will help someone violate the law or TOS anywhere