[Done v1.3.5] Security Issue for Storing CVV in Session

**mikebrittain** · 14 Sep 2006, 05:03 PM

According to the Payment Card Industry's guidelines, the CVV number should NEVER be stored with the credit card number. I'm seeing a specific issue with the manner in which this information is being stored by Zen Cart that could be problematic for all users. Since there is not a general "Security" category in this forum, I'm posting it here as a bug.

(Refer to the Data Security Standard at https://www.pcisecuritystandards.org...he_pci_dss.htm -- especially section 3.2.2)

In the file includes/classes/navigation_history.php, the $_POST variables are written directly to the session. This presents two main problems:

1) Since the credit card information is posted, it gets stored either on disk or in the database. If the disk/database are being backed up, there is a huge risk of credit card information persisting without the store owners being aware of it. Many shared hosts do automated DB and file backups for users on a nightly or weekly basis. Therefore, even if your session table does not allow card information to persist for more than a few days, this data could easily be found on backup media.

2) The credit card and CVV should never be stored together. When they are both posted, they both get written to the disk/database together. The CVV should not live beyond the HTTP post.

Specifically, the problem lines are 86 and 121.

**Merlinpa1969** · 14 Sep 2006, 05:08 PM

sessions are KILLED as soon as the transaction is complete,

this is handled in the checkout_success.

and there is only 1 step between checkout_payment and checkout_success

**mikebrittain** · 14 Sep 2006, 05:16 PM

The CC and CVV info get stored in session when the user submits the checkout_payment page. There are any number of things that could happen after that which cause the session to persist. The user could decide they don't want to place the order and leave the store. They could continue shopping. In both of these cases, the CC and CVV info persist in session as long as the user never completes their order.

**DrByte** · 14 Sep 2006, 05:23 PM

As of Zen Cart v1.3.5, $_POST contents are not stored as part of the navigation_history class.

Upgrading should resolve the concern.

**stagebrace** · 24 Jun 2007, 06:24 PM

The security number can be stored. Then it must be deleted immediately after you have received you money or if the transaction is denied.

3.2.2 ... see the Glossary comment.

Magnetic Stripe Data (Track Data): Data encoded in the magnetic stripe used for authorization during transactions when the card is presented. Entities must not retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/ Card Validation Value/CodeCVV, and proprietary reserved values must be purged; however, account number, expiration date, and name, and service code may be extracted and retained, if needed for business