next »

[FavoriteU]

Storing CVV2 numbers is not compliant with PCI standards and likely a breech of all merchant accounts.  Even with "Store Credit Card Information" marked NO in the Configuration -> Security, the CVV2 code is still sent in the receipt e-mail to the customer.  It shouldn't be.  It should only be sent to the merchant services provider during actual card processing.

How can I remove the CVV2 code from the order e-mail receipt that is sent to the customer?

Thanks.

[FavoriteU]

Quite a few people have read this thread but no one has responded.  Is this a bug?  Can it be disabled?  The only solution I have found thus far is to remove all billing information from the confirmation e-mail sent to the customer.  This is not preferred, but will have to do for now as storing or sending the CVV2 code is a violation of everyone's credit card agreement.

The e-mail template calls a script, the script doesn't seem to separate the fields, so I can't remove the CVV2 without messing up something else.  Could someone help with this?  That data is not supposed to be stored and should not be sent to the customer (or anyone else other than to your credit card processing gateway).

[willowtree]

if you're using a gateway there should be no need to store any cc data?

which payment method are you using?

[FavoriteU]

I am using a gateway and I've told VirtueMart NOT to store CC data.  This is exactly my point.  It's not coming to me in the backend, but the customer's confirmation e-mail shows it.

[willowtree]

in the vm admin, which payment method are you using?

[FavoriteU]

Credit Card (AN - ps_authorize)

[willowtree]

In that case i'm moving this post into the quality and testing for 1.1 forum as it seems to be an issue with 1.1 that should be resolved.

[FavoriteU]

Thanks for your help.  Again I don't see it anywhere but the confirmation e-mail.  So I ended up removing ALL billing info from the confirmation e-mail until I get it resolved.  Better to send nothing at all than to send too much in this case.

[FavoriteU]

There hasn't been any update to this since Willowtree moved this post to the "Quality & Testing" forum.  Are there plans to adjust this, or at least tell us how to do it ourselves?  It is my believe this should be considered a bug as it is a security issue.  Please provide some kind of update.

Thanks.

[Peter]

This is a serious security issue for clients. A payment module called Offline Credit Card(OCC) by deneb (http://forum.virtuemart.net/index.php?topic=14955.0)worked really good in virtuemart ver 1.0.1 but it does not work correctly in ver 1.1

[katandmouse]

Yes this is very serious! We just had a customer tell us this was illegal. Virtuemart developers can you please come up with a quick solution, or please tell us what file this is in so we can remove it ourselves. Thanks.

[skyline]

This is not up to PCI Compliance that's for sure.

Sorry I don't have 1.1 but I did post a "how to" about not storing this info for 1.0.15.

Probably very similar to 1.1

http://forum.virtuemart.net/index.php?topic=46725.0

HTH

[losmarinos3]

Has there been an answer to this problem. It is such an important issue, and I can not find the answer on this Forum
I just had a customer threatening to Sue me. The I would have to counter Sue Virtuemart

[zanardi]

@losmarinos3:
I don't know from what alien world do you come from, proposing to sue an open source and free (as in beer) project for a missing feature, instead of just paying a developer 15 minutes of work to fix this.

That said, the fix to avoid CVV being sent via e-mail is this.

In ps_checkout.php, line 1907-1909 (on VM 1.1.7) are these:

Code:

if( !empty($_SESSION['ccdata']['credit_card_code'])) {
$payment_info_details .= 'CVV code: '.$_SESSION['ccdata']['credit_card_code'].'<br />';
}

Just comment or delete these lines.

Please note that in different versions of Virtuemart line numbers can change.

[losmarinos3]

Thank you Francesco,
I was a bit worried after a Customer threaten to Sue me, Sorry for going overboard about it.
Re these lines you are suggesting to delete, Why would the standard Product not come as defaulted to that state.? ie CVV" and expiry date removed from System out going Customer emails