Results 1 to 6 of 6
  1. #1
    Join Date
    Nov 2009
    Posts
    4
    Plugin Contributions
    0

    help question Credit Card Data

    I'm doing work for a customer who is running ZenCart. I work on the ERP software they use, and I'm pulling customer and order data from ZenCart over to the ERP system.

    The touchy thing is credit card numbers. I see that the first and last 4 digits are stored in the order table. The users are currently getting an email with the middle digits.

    I'm torn; I'm hoping that Zen is secure enough that those middle digits aren't actually stored plaintext in the DB somewhere. But on the other hand, I need them. They want to automate placing the order in the ERP system.

    Does Zen have any way for me to access these numbers? Or, is there a way for me to have them direct that email containing those digits to another email address, which I could then monitor automatically and then programmatically extract those digits?

    Appreciate any suggestions. I hate CC plaintext, but I also hate "more work" for users. Thanks!

  2. #2
    Join Date
    Feb 2005
    Location
    Lansing, Michigan USA
    Posts
    20,021
    Plugin Contributions
    3

    Default Re: Credit Card Data

    Zencart will never store a complete CC number in the database.

    I suppose you could finagle something from the DB and the email containing the middle numbers, but it seems to me that a company big enough to hire you can afford a real merchant account. I can't think of a reason they would want to use the insecure Offline Credit Card module (which will be removed from the next Zencart version). Have you had a discussion with them about PCI compliance?

  3. #3
    Join Date
    Nov 2009
    Posts
    4
    Plugin Contributions
    0

    Default Re: Credit Card Data

    If those middle digits are never stored in the DB, then that's good to know -- I'll stop looking!

    If there's a place I should look this up please forgive me, what is the Offline Credit Card module? I'm not sure if it applies here. Currently, to place an order on the Zen website, they must provide a legit CC#. Then, two emails are automatically generated to their customer service people. The first is a you-have-an-order-to-deal-with email that has the information in the zen_orders table, including the 1234XXXXXXXX7890 cc info. The next email contains the middle 8 digits of the credit card. I was assuming this was core Zen function but, well, I know what happens when I "assume".

    The ERP system has a PCI-complaint (I'm told) credit card add-on to the system. Before processing the order, the users are currently hand-typing the credit card data from those two emails into this system and authorizing it before releasing to shipping. Those numbers are encrypted within the ERP's DB, but I'm betting I can feed it an unencrypted string of digits to replace the user hand-typing the unencrypted string of digits and the system will encrypt it before storing. I'm trying to remove the manual-labor step here, so that orders can automatically go to shipping and then the cards can automatically be charged, assuming there are no errors, without the user having to do anything.

    I'm hardly a credit card expert, though. If there is something less-than-good about this process; if there is a better way to automate this while still allowing the end users to input their data to Zen, and without badly compromising security, I'm all ears, and I appreciate the feedback.

    Thanks!

  4. #4
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Credit Card Data

    FAQ on the Offline CC module, to answer your questions: https://www.zen-cart.com/tutorials/index.php?article=67
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Credit Card Data

    Is there a reason why you can't process your CC payments in real time so that the card is validated and payment collected immediately while the customer is still present? That will cut down on the amount of orders that have to be cancelled because a fake/bad credit card was used or billing address wasn't supplied reliably. Doing it later in your ERP system just means you're forcing someone in your accounting dept to have to manually submit the payment request ... which is a waste if the work had been automated while the customer was online.

    Also, does your ERP system have a web-facing access point that could be used to receive new-order transmissions? Or are you only able to pull data into the ERP system by reading the raw database data?
    You could probably write a secure-enough encryption tool (complete with Certificates installed on your server for that purpose, etc) to encrypt the sensitive data before storing it and having your ERP system retrieve it and delete it. (But unless that crypto part is rock-solid, you'll still fail PA-DSS / PCI compliance.) Or, you could POST the data to the ERP's web-facing UI and have it receive the CC and other order details as part of the code that runs while the order is getting saved.

    But ...

    Keep in mind ... for almost all transactions, you'll never need the FULL credit card number again anyway ... Even doing refunds/voids only require partial numbers along with a transaction number. So, if you have a live gateway doing the processing in real time, you won't need any more data than you already have stored in the database.

    ... which takes us back to stevesh's point.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  6. #6
    Join Date
    Feb 2005
    Location
    Lansing, Michigan USA
    Posts
    20,021
    Plugin Contributions
    3

    Default Re: Credit Card Data

    Quote Originally Posted by jenlion View Post

    Before processing the order, the users are currently hand-typing the credit card data from those two emails into this system and authorizing it before releasing to shipping.
    That's the kind of thing that prevents me from ordering anything online unless I know what real-time payment processor the company uses.

    In my IT travels, I've seen too many regular customers' CC numbers on Post-It notes stuck to monitors - an open invitation to theft.

    Also, while I'm sure this isn't the case with your company, some companies will add online sales and process them in the way you describe without notifying their merchant account provider, a sure way to lose the account if they find out.

 

 

Similar Threads

  1. All Credit Card data lost on a certain order
    By stagebrace in forum Addon Payment Modules
    Replies: 0
    Last Post: 10 Jan 2007, 05:19 AM
  2. credit card info data base
    By ianclimb8 in forum Built-in Shipping and Payment Modules
    Replies: 3
    Last Post: 23 May 2006, 02:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg