Results 1 to 10 of 16

Hybrid View

  1. #1
    Join Date
    Jan 2006
    Posts
    120
    Plugin Contributions
    0

    Default Re: AUthorize.net CIM integration

    Why is it that I have to review my entire business process model to get a single question answered. I'm trying to get a question answered to increase my security and what I get is an uninformed security consultation.

    Let me ask you a question: You advertise zen-cart hosts here on your website. They operate the zen-cart sites for possibly hundreds of stores. Are you telling me that the offline credit-card payment capability is illegal for every single one of those installations? If passing the cc# middle digits by email is a problem, then WHY does the offline cc module do it? Didn't you write it? You say zen-cart isn't designed to store credit-card information but it's designed to do specifically that, that's standard off-the-shelf functionality in your software is it not? (minus the middle digits and cvv)

    My customers are not using ANY functionality outside what YOU provided in the software in the manner that YOU intended.

    The store is in control of the billing. They own the website, they run the store, I simply host it. How is that any different than 1000's of other operations? The only information being passed via email are those things you YOU designed in YOUR software.

    So please, you tell me how using your software as designed is breaking laws....

  2. #2
    Join Date
    Jan 2006
    Posts
    120
    Plugin Contributions
    0

    Default Re: AUthorize.net CIM integration

    Wanted to follow up on this message: Is there a huge gap in communication here?

    You said "Zen Cart is not designed to store credit card info" But it does. It stores everything but the middle 8 digits of the cc#

    You said "you're telling me that you've been passing customer credit card information via email for hundreds of orders?" No, I'm saying if we do and those middle digits are lost, it would be a big problem.

    I'm quite confused as to how this differers from one of any hundreds of hosted zen-cart installations out there with your preferred hosting providers.

  3. #3
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: AUthorize.net CIM integration

    Quote Originally Posted by MotoDelta View Post
    You said "Zen Cart is not designed to store credit card info" But it does. It stores everything but the middle 8 digits of the cc#
    Pardon me. I should have said it differently: Zen Cart is not designed to store complete credit card numbers on the webserver nor forward complete credit card numbers to any outside party other than a connected payment gateway while the customer is engaged in the transaction in real time."

    As for collecting numbers for offline processing by forwarding partial numbers by email, that option has been available in the v1.x series, but is being removed from v2.0 onward due to increased complexities in security rules, not to mention PCI DSS "regulations".

    Quote Originally Posted by MotoDelta View Post
    You said "you're telling me that you've been passing customer credit card information via email for hundreds of orders?" No, I'm saying if we do and those middle digits are lost, it would be a big problem.
    Sorry, I should have been more clear that I was asking a question.

    Quote Originally Posted by MotoDelta View Post
    My customers are not using ANY functionality outside what YOU provided in the software in the manner that YOU intended.
    The intent has always been that the store owner would be processing the payment, not some unknown third party, especially if the customer doesn't know that some other party that the website owner is getting their payment information.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  4. #4
    Join Date
    Jan 2006
    Posts
    120
    Plugin Contributions
    0

    Default Re: AUthorize.net CIM integration

    My apologies for not being clear.

    Rest assured we have had extensive discussions with our CPA, Attorneys, and the cc processor to ensure we are doing the "right stuff". I understand you are trying to counsel me to best practices. I appreciate that.

    So just to we're 100% clear. I install, host, and configure the software for the client. The client receives the order, ships from their stock, and bills the consumer. Since the physical server is in a seperate location from the client, they've either got to use Authorize.net or the offline cc module.

    Right now they do not want to use Authorize.net because their existing brick and mortar business uses a different solution and they do want to have another. We experienced a problem twice where the middle digit email did not reach them, a total of 3 orders. However once they hit the order volumes they expect we could potentially lose a lot more middle digit emails that would require a lot of embarrassing phone calls to the consumers that purchased.

    So what I'm looking to assist them with is finding a way to ensure they they do not lose their customers credit-card information. I am NOT going to circumvent the system by storing the whole number. I'm not taking that liability. So how do I help them with this? That's the advice I really need.

    Is there an outside solution that I can easily get them the cc information from their store in a more reliable manner? For example, could use us Authorize.net to securely pass the cc information at the point of order execution and still use their existing cc processor?

  5. #5
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: AUthorize.net CIM integration

    Quote Originally Posted by MotoDelta View Post
    I understand you are trying to counsel me to best practices. I appreciate that.
    That's cool ... I'm also mindful that there will be others who come along to read this discussion afterwards too :)
    Quote Originally Posted by MotoDelta View Post
    Since the physical server is in a seperate location from the client, they've either got to use Authorize.net or the offline cc module.

    Right now they do not want to use Authorize.net because their existing brick and mortar business uses a different solution and they do want to have another. ...

    So what I'm looking to assist them with is finding a way to ensure they they do not lose their customers credit-card information. ...

    Is there an outside solution that I can easily get them the cc information from their store in a more reliable manner? For example, could use us Authorize.net to securely pass the cc information at the point of order execution and still use their existing cc processor?
    Well ... who are they using as a merchant account service provider? Does that provider offer an online live gateway service? That would be your best solution.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  6. #6
    Join Date
    Jan 2006
    Posts
    120
    Plugin Contributions
    0

    Default Re: AUthorize.net CIM integration

    I'll have to investigate that. presumably integration would require a custom payment module to be built for that?

  7. #7
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: AUthorize.net CIM integration

    Perhaps ... it all depends who the provider is and whether a module is already available, or at least something close which can be adapted.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  8. #8
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: AUthorize.net CIM integration

    Quote Originally Posted by MotoDelta View Post
    Why is it that I have to review my entire business process model to get a single question answered. I'm trying to get a question answered to increase my security and what I get is an uninformed security consultation.
    Well, I suppose if you think my input is uninformed, you're welcome to get feedback from someone else whom you might take more seriously.

    Instead perhaps you should reword that to the tune of "I'm sorry I have misled you regarding what I was really asking about" ... ?
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Authorize.net CIM
    By silenceway in forum Addon Payment Modules
    Replies: 30
    Last Post: 25 Feb 2013, 08:51 PM
  2. Can Authorize.net CIM and AIM work together?
    By chrismarie in forum Built-in Shipping and Payment Modules
    Replies: 2
    Last Post: 25 Feb 2010, 06:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg