Hi,
I need to know what the customer's credit card number is for a legal document where I enter that in. Where can I find that or at the very least, the last 4 digits?
Thanks
Hi,
I need to know what the customer's credit card number is for a legal document where I enter that in. Where can I find that or at the very least, the last 4 digits?
Thanks
Providing you with financial services for your business - merchant accounts, echeck solutions, small business loans, and chargeback prevention services. Exceptional customer service.
At the risk of sounding like someone else on the forum.....
As someone in the merchant business, you must know that storage of the credit card number on Zen Cart (or any system that collects the data) would be a direct violation of PCI/DSS regulations.
Ceon's manual payment module will get you to the entire number with the middle digits arriving by email -- Not a valid PCI/DSS method though.
I find it ironic that the best way to currently get the card type, last four, and expiration is the Square payment module written by that someone else. Of course, using it bypasses those merchant accounts that you would be selling.
Ah, the conundrums of life.
Are You Vulnerable for an Accessibility Lawsuit?
myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
Free SSL, Domain, and MagicThumb with semi-annual and longer hosting.
I know that, but the last SC I used got me the entire number for the first 2-3 days, then it reverted to the last 4 & I would expect ALL SCs to have the last 4. That's standard, although I really have no experience with SCs because I was with the other one for 11 years & they weren't the greatest.
And of course I have no idea how ZC works, that's why I'm asking. :) Just because PCI is a regulation, doesn't mean all sites follow it.
And just so you know, it's regulated by Visa, not the bank or processor. The processor is the one who makes sure (or they should) that the merchant is PCI compliant, but it's very lax in them investigating.
Square may "appear" easy, but they aren't a professional merchant account. We've gotten many clients who have come to us stressed because their account got closed down by Square when suddenly Square determined they were high risk after they let them have an account in the first place.
Thank you so much for your help.
Providing you with financial services for your business - merchant accounts, echeck solutions, small business loans, and chargeback prevention services. Exceptional customer service.
Most payment modules in Zen Cart store the last 4 digits as part of the order data.
You can see those 4 digits by going to Admin->Customers->Orders, and opening the order whose details you want to view. The safe card details are shown in the top left near the date, below the customer's primary address.
Whether your addon gateway's module is written to store that data or not is another matter.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
i will post on this thread once and once only....
the storage of credit card numbers on ZC or any other system that stores credit card data is NOT a violation of PCI-DSS. the storage of these numbers unencrypted, on the other hand, is a violation.
VISA/MC encourage the use of a third party credit card vault and tokenization provider to store credit card numbers; and the merchant and consumer can then use the token to implement a card on file/recurring payment transaction. those third parties are still subject to PCI-DSS.
in my experience, it is NEVER the processor who ensures that the merchant is in compliance; it is the merchant bank for the merchant/store owner who ensures compliance. but very few merchants are truly in compliance.
a client's merchant bank recently told him he was out of compliance because sensitive data went to his server and then to the gateway. the merchant bank said you needed an iframe for the payment data or a payment page hosted by the gateway or some other process. but the sensitive data could NOT touch his server. which in my opinion is wrong. requirement 4 clearly states:
4. Encrypt transmission of cardholder data across open, public networks
so if the data travels encrypted, you should be covered.
the idea that you can not host a page that transmits the data to your server and then passes it to the processor is something new to me. perhaps that is new.... but it seems wrong.
@carlwhat - your grasp of the facetious needs a little tweaking. Granted, could have been more specific but, enjoyed sending OP to non-merchant processing.
To all - I seldom take anything but the source as gospel. https://www.pcisecuritystandards.org...ta_storage.pdf is something everyone should read. Note that there a several more than Visa involved and they frown on storage of data. Interesting to see how Square is getting around the CVV storage.
Are You Vulnerable for an Accessibility Lawsuit?
myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
Free SSL, Domain, and MagicThumb with semi-annual and longer hosting.
I know that I should at least look into the square module usage, though I don't yet have an account with them, hence why haven't really tried. Also, that this is a bit of just discussion.
One of the PCI related documents I read from that site had the following:The last sentence leaves things a little ambiguous... In one respect it identifies that after authorization has occurred, do not attempt to newly store the CVV2 for example. In the other respect it identifies that if it has been stored then it needs to be removed after authorization... The first interpretation comes from reading the associated section 3.2 of the document that describes the accessibility of the various sub-systems, what they are used for and how to add information. It seems to imply that if the data is there and proper channels are the only ones able to access the resource then there is no new data being added (storage) that could lead to an association that would allow getting back that information. All that said: a twisted way I think to keep information that is generally unnecessary. I would typically go for the second interpretation of hey, purchase (even if routine/scheduled) is authorized, dump the no longer needed information.PCI DSS Scoping Guidance: The shopping cart software is in scope for PCI DSS compliance, and PADSS may also be applicable. The shopping cart/payment application should be developed securely and according to PA-DSS requirements to ensure either that 1) cardholder data is not stored after authorization, or 2) if the merchant has a business need for storing cardholder data after authorization, that it is protected during storage per PCI DSS Requirement 3.4 (for example, via encryption, truncation, or hashing). It is important to remember that storage of sensitive authentication data such as the CAV2, CVC2, CVV2, or CID is not allowed post-authorization, per PCI DSS Requirement 3.2, even if encrypted.
But, as said, I don't yet know how the square module works with information such as that...
ZC Installation/Maintenance Support <- Site
Contribution for contributions welcome...
"Square CVV storage" is beyond the scope of this discussion, and unrelated to Zen Cart.
(ie: they do sometimes store complete card details in their fully PCI certified Level 1 datacenter, for the express purpose of being able to do recurring billing, and other interactions. Their ability to store that data is the same as Authorize.net or PayPal or any other gateway provider.
Zen Cart doesn't store the CVV data for Square or any other built-in gateway's payment modules.)
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Providing you with financial services for your business - merchant accounts, echeck solutions, small business loans, and chargeback prevention services. Exceptional customer service.
Bookmarks