Okay, I'll get this said and out of the way right off. My client is dead set on offline processing of credit cards. I've talked to them multiple times about this, trying to convince them to go with a payment gateway, but they've been doing it offline for going on 20 years and don't want to change for various reasons. Therefore, please don't post arguments here against offline processing. You'd just be preaching to the choir. It's not my decision to make, and the client has spoken.
That having been said, I am now trying to make this store as compliant as possible with the PCI Security Standards. Those standards say that ALL stored credit card information must be encrypted in one way or another, including cardholder name, expiration date, etc. In Zen Cart, the credit card number itself is not a problem since the number is truncated. The problem is the rest of it.
Since I can't think of a way to encrypt/truncate the expiration date, cardholder name and everything else yet still enable the accounting department to retrieve it to process the order, the only thing I can think of doing is setting things up so that, once the accounting dept. has retrieved the info, there would be links to delete all that stuff from the database. In that way, none of it would be stored except during the time between the order coming in and them getting online to get the info.
I noticed that when Zen Cart's offline processing is set to collect the CVV number, in the order record there is a link for deleting it from the database. I would like to implement that for all the other info as well. I found the code in orders.php that controls the delete function for the CVV (included below).
Code:
case 'delete_cvv':
$delete_cvv = $db->Execute("update " . TABLE_ORDERS . " set cc_cvv = '" . TEXT_DELETE_CVV_REPLACEMENT . "' where orders_id = '" . (int)$_GET['oID'] . "'");
zen_redirect(zen_href_link(FILENAME_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', 'NONSSL'));
break;
Code:
<td class="main"><?php echo $order->info['cc_cvv'] . (zen_not_null($order->info['cc_cvv']) && !strstr($order->info['cc_cvv'],TEXT_DELETE_CVV_REPLACEMENT) ? ' <a href="' . zen_href_link(FILENAME_ORDERS, '&action=delete_cvv&oID=' . $oID, 'NONSSL') . '" class="noprint">' . TEXT_DELETE_CVV_FROM_DATABASE . '</a>' : ''); ?><td>
I was wondering if someone could help guide me on how to do the same thing for cardholder name, expiration date, credit card number, and all other credit card info.
By the way, the store will not be using the Zen Cart Offline CC processing module. It will be using the Ceon Manual Card add-on module, which keeps the CC info encrypted throughout the checkout process.
Bookmarks