Results 1 to 9 of 9
  1. #1
    Join Date
    Jul 2017
    Location
    All over
    Posts
    82
    Plugin Contributions
    0

    Default Customer's Credit Card Number

    Hi,

    I need to know what the customer's credit card number is for a legal document where I enter that in. Where can I find that or at the very least, the last 4 digits?

    Thanks
    Providing you with financial services for your business - merchant accounts, echeck solutions, small business loans, and chargeback prevention services. Exceptional customer service.

  2. #2
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,107
    Plugin Contributions
    11

    Default Re: Customer's Credit Card Number

    At the risk of sounding like someone else on the forum.....

    As someone in the merchant business, you must know that storage of the credit card number on Zen Cart (or any system that collects the data) would be a direct violation of PCI/DSS regulations.

    Ceon's manual payment module will get you to the entire number with the middle digits arriving by email -- Not a valid PCI/DSS method though.

    I find it ironic that the best way to currently get the card type, last four, and expiration is the Square payment module written by that someone else. Of course, using it bypasses those merchant accounts that you would be selling.

    Ah, the conundrums of life.

  3. #3
    Join Date
    Jul 2017
    Location
    All over
    Posts
    82
    Plugin Contributions
    0

    Default Re: Customer's Credit Card Number

    Quote Originally Posted by dbltoe View Post
    At the risk of sounding like someone else on the forum.....

    As someone in the merchant business, you must know that storage of the credit card number on Zen Cart (or any system that collects the data) would be a direct violation of PCI/DSS regulations.

    Ceon's manual payment module will get you to the entire number with the middle digits arriving by email -- Not a valid PCI/DSS method though.

    I find it ironic that the best way to currently get the card type, last four, and expiration is the Square payment module written by that someone else. Of course, using it bypasses those merchant accounts that you would be selling.

    Ah, the conundrums of life.
    I know that, but the last SC I used got me the entire number for the first 2-3 days, then it reverted to the last 4 & I would expect ALL SCs to have the last 4. That's standard, although I really have no experience with SCs because I was with the other one for 11 years & they weren't the greatest.

    And of course I have no idea how ZC works, that's why I'm asking. :) Just because PCI is a regulation, doesn't mean all sites follow it.

    And just so you know, it's regulated by Visa, not the bank or processor. The processor is the one who makes sure (or they should) that the merchant is PCI compliant, but it's very lax in them investigating.

    Square may "appear" easy, but they aren't a professional merchant account. We've gotten many clients who have come to us stressed because their account got closed down by Square when suddenly Square determined they were high risk after they let them have an account in the first place.

    Thank you so much for your help.
    Providing you with financial services for your business - merchant accounts, echeck solutions, small business loans, and chargeback prevention services. Exceptional customer service.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Customer's Credit Card Number

    Most payment modules in Zen Cart store the last 4 digits as part of the order data.
    You can see those 4 digits by going to Admin->Customers->Orders, and opening the order whose details you want to view. The safe card details are shown in the top left near the date, below the customer's primary address.

    Whether your addon gateway's module is written to store that data or not is another matter.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Nov 2005
    Location
    los angeles
    Posts
    2,669
    Plugin Contributions
    9

    Default Re: Customer's Credit Card Number

    Quote Originally Posted by dbltoe View Post
    At the risk of sounding like someone else on the forum.....

    As someone in the merchant business, you must know that storage of the credit card number on Zen Cart (or any system that collects the data) would be a direct violation of PCI/DSS regulations.

    Ceon's manual payment module will get you to the entire number with the middle digits arriving by email -- Not a valid PCI/DSS method though.

    I find it ironic that the best way to currently get the card type, last four, and expiration is the Square payment module written by that someone else. Of course, using it bypasses those merchant accounts that you would be selling.

    Ah, the conundrums of life.
    i will post on this thread once and once only....

    the storage of credit card numbers on ZC or any other system that stores credit card data is NOT a violation of PCI-DSS. the storage of these numbers unencrypted, on the other hand, is a violation.

    VISA/MC encourage the use of a third party credit card vault and tokenization provider to store credit card numbers; and the merchant and consumer can then use the token to implement a card on file/recurring payment transaction. those third parties are still subject to PCI-DSS.

    in my experience, it is NEVER the processor who ensures that the merchant is in compliance; it is the merchant bank for the merchant/store owner who ensures compliance. but very few merchants are truly in compliance.

    a client's merchant bank recently told him he was out of compliance because sensitive data went to his server and then to the gateway. the merchant bank said you needed an iframe for the payment data or a payment page hosted by the gateway or some other process. but the sensitive data could NOT touch his server. which in my opinion is wrong. requirement 4 clearly states:

    4. Encrypt transmission of cardholder data across open, public networks

    so if the data travels encrypted, you should be covered.

    the idea that you can not host a page that transmits the data to your server and then passes it to the processor is something new to me. perhaps that is new.... but it seems wrong.
    author of square Webpay.
    mxWorks has premium plugins. donations: venmo or paypal accepted.
    premium consistent excellent support. available for hire.

  6. #6
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,107
    Plugin Contributions
    11

    Default Re: Customer's Credit Card Number

    @carlwhat - your grasp of the facetious needs a little tweaking. Granted, could have been more specific but, enjoyed sending OP to non-merchant processing.

    To all - I seldom take anything but the source as gospel. https://www.pcisecuritystandards.org...ta_storage.pdf is something everyone should read. Note that there a several more than Visa involved and they frown on storage of data. Interesting to see how Square is getting around the CVV storage.

  7. #7
    Join Date
    Jul 2012
    Posts
    16,718
    Plugin Contributions
    17

    Default Re: Customer's Credit Card Number

    Quote Originally Posted by dbltoe View Post
    @carlwhat - your grasp of the facetious needs a little tweaking. Granted, could have been more specific but, enjoyed sending OP to non-merchant processing.

    To all - I seldom take anything but the source as gospel. https://www.pcisecuritystandards.org...ta_storage.pdf is something everyone should read. Note that there a several more than Visa involved and they frown on storage of data. Interesting to see how Square is getting around the CVV storage.
    I know that I should at least look into the square module usage, though I don't yet have an account with them, hence why haven't really tried. Also, that this is a bit of just discussion.

    One of the PCI related documents I read from that site had the following:
    PCI DSS Scoping Guidance: The shopping cart software is in scope for PCI DSS compliance, and PADSS may also be applicable. The shopping cart/payment application should be developed securely and according to PA-DSS requirements to ensure either that 1) cardholder data is not stored after authorization, or 2) if the merchant has a business need for storing cardholder data after authorization, that it is protected during storage per PCI DSS Requirement 3.4 (for example, via encryption, truncation, or hashing). It is important to remember that storage of sensitive authentication data such as the CAV2, CVC2, CVV2, or CID is not allowed post-authorization, per PCI DSS Requirement 3.2, even if encrypted.
    The last sentence leaves things a little ambiguous... In one respect it identifies that after authorization has occurred, do not attempt to newly store the CVV2 for example. In the other respect it identifies that if it has been stored then it needs to be removed after authorization... The first interpretation comes from reading the associated section 3.2 of the document that describes the accessibility of the various sub-systems, what they are used for and how to add information. It seems to imply that if the data is there and proper channels are the only ones able to access the resource then there is no new data being added (storage) that could lead to an association that would allow getting back that information. All that said: a twisted way I think to keep information that is generally unnecessary. I would typically go for the second interpretation of hey, purchase (even if routine/scheduled) is authorized, dump the no longer needed information.

    But, as said, I don't yet know how the square module works with information such as that...
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...

  8. #8
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Customer's Credit Card Number

    "Square CVV storage" is beyond the scope of this discussion, and unrelated to Zen Cart.
    (ie: they do sometimes store complete card details in their fully PCI certified Level 1 datacenter, for the express purpose of being able to do recurring billing, and other interactions. Their ability to store that data is the same as Authorize.net or PayPal or any other gateway provider.
    Zen Cart doesn't store the CVV data for Square or any other built-in gateway's payment modules.)
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  9. #9
    Join Date
    Jul 2017
    Location
    All over
    Posts
    82
    Plugin Contributions
    0

    Default Re: Customer's Credit Card Number

    Quote Originally Posted by DrByte View Post
    Most payment modules in Zen Cart store the last 4 digits as part of the order data.
    You can see those 4 digits by going to Admin->Customers->Orders, and opening the order whose details you want to view. The safe card details are shown in the top left near the date, below the customer's primary address.

    Whether your addon gateway's module is written to store that data or not is another matter.
    Unfortunately it's not there. The field is empty.

    That's ok, I figured out a workaround using my gateway.
    Providing you with financial services for your business - merchant accounts, echeck solutions, small business loans, and chargeback prevention services. Exceptional customer service.

 

 

Similar Threads

  1. Replies: 5
    Last Post: 29 Nov 2010, 06:28 AM
  2. Replies: 1
    Last Post: 27 Dec 2008, 03:52 AM
  3. ALWAYS: The credit card number entered is invalid. Please check the number...
    By smoochinc in forum Built-in Shipping and Payment Modules
    Replies: 9
    Last Post: 14 Dec 2007, 10:15 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR