Author Topic: Remove CVV2 from Customer E-Mail Receipt?  (Read 19703 times)

FavoriteU

  • Jr. Member
  • **
  • Posts: 119
Remove CVV2 from Customer E-Mail Receipt?
« on: April 29, 2008, 06:54:20 am »
Storing CVV2 numbers is not compliant with PCI standards and likely a breech of all merchant accounts.  Even with "Store Credit Card Information" marked NO in the Configuration -> Security, the CVV2 code is still sent in the receipt e-mail to the customer.  It shouldn't be.  It should only be sent to the merchant services provider during actual card processing.

How can I remove the CVV2 code from the order e-mail receipt that is sent to the customer?

Thanks.


FavoriteU

  • Jr. Member
  • **
  • Posts: 119
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #1 on: May 09, 2008, 21:36:34 pm »
Quite a few people have read this thread but no one has responded.  Is this a bug?  Can it be disabled?  The only solution I have found thus far is to remove all billing information from the confirmation e-mail sent to the customer.  This is not preferred, but will have to do for now as storing or sending the CVV2 code is a violation of everyone's credit card agreement.

The e-mail template calls a script, the script doesn't seem to separate the fields, so I can't remove the CVV2 without messing up something else.  Could someone help with this?  That data is not supposed to be stored and should not be sent to the customer (or anyone else other than to your credit card processing gateway).


willowtree

  • Full Member
  • ***
  • Posts: 542
    • Willow Tree Crafts
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #2 on: May 10, 2008, 14:29:07 pm »
if you're using a gateway there should be no need to store any cc data?

which payment method are you using?
Please add your VM and Joomla Version to your signature to make it easier to help you:

Most of my code posted in the forum is for VirtueMart 1.0  -  not for 1.1

FavoriteU

  • Jr. Member
  • **
  • Posts: 119
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #3 on: May 10, 2008, 14:33:13 pm »
I am using a gateway and I've told VirtueMart NOT to store CC data.  This is exactly my point.  It's not coming to me in the backend, but the customer's confirmation e-mail shows it.


willowtree

  • Full Member
  • ***
  • Posts: 542
    • Willow Tree Crafts
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #4 on: May 10, 2008, 15:39:32 pm »
in the vm admin, which payment method are you using?
Please add your VM and Joomla Version to your signature to make it easier to help you:

Most of my code posted in the forum is for VirtueMart 1.0  -  not for 1.1

FavoriteU

  • Jr. Member
  • **
  • Posts: 119
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #5 on: May 10, 2008, 16:44:26 pm »
Credit Card (AN - ps_authorize)


willowtree

  • Full Member
  • ***
  • Posts: 542
    • Willow Tree Crafts
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #6 on: May 10, 2008, 17:44:39 pm »
In that case i'm moving this post into the quality and testing for 1.1 forum as it seems to be an issue with 1.1 that should be resolved.
Please add your VM and Joomla Version to your signature to make it easier to help you:

Most of my code posted in the forum is for VirtueMart 1.0  -  not for 1.1

FavoriteU

  • Jr. Member
  • **
  • Posts: 119
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #7 on: May 10, 2008, 18:16:08 pm »
Thanks for your help.  Again I don't see it anywhere but the confirmation e-mail.  So I ended up removing ALL billing info from the confirmation e-mail until I get it resolved.  Better to send nothing at all than to send too much in this case.

FavoriteU

  • Jr. Member
  • **
  • Posts: 119
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #8 on: May 28, 2008, 22:51:15 pm »
There hasn't been any update to this since Willowtree moved this post to the "Quality & Testing" forum.  Are there plans to adjust this, or at least tell us how to do it ourselves?  It is my believe this should be considered a bug as it is a security issue.  Please provide some kind of update.

Thanks.

Peter

  • Beginner
  • *
  • Posts: 15
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #9 on: July 06, 2008, 23:19:16 pm »
This is a serious security issue for clients. A payment module called Offline Credit Card(OCC) by deneb (http://forum.virtuemart.net/index.php?topic=14955.0)worked really good in virtuemart ver 1.0.1 but it does not work correctly in ver 1.1

katandmouse

  • Beginner
  • *
  • Posts: 40
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #10 on: September 23, 2008, 21:10:40 pm »
Yes this is very serious! We just had a customer tell us this was illegal. Virtuemart developers can you please come up with a quick solution, or please tell us what file this is in so we can remove it ourselves. Thanks.

skyline

  • Beginner
  • *
  • Posts: 22
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #11 on: October 10, 2008, 01:37:49 am »
This is not up to PCI Compliance that's for sure.

Sorry I don't have 1.1 but I did post a "how to" about not storing this info for 1.0.15.

Probably very similar to 1.1

http://forum.virtuemart.net/index.php?topic=46725.0

HTH

losmarinos3

  • Beginner
  • *
  • Posts: 19
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #12 on: March 05, 2011, 00:47:24 am »
Has there been an answer to this problem. It is such an important issue, and I can not find the answer on this Forum
I just had a customer threatening to Sue me. The I would have to counter Sue Virtuemart

zanardi

  • Contributing Developer
  • Full Member
  • *
  • Posts: 878
    • GiBiLogic
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #13 on: March 05, 2011, 11:01:38 am »
@losmarinos3:
I don't know from what alien world do you come from, proposing to sue an open source and free (as in beer) project for a missing feature, instead of just paying a developer 15 minutes of work to fix this.

That said, the fix to avoid CVV being sent via e-mail is this.

In ps_checkout.php, line 1907-1909 (on VM 1.1.7) are these:

Code: [Select]
if( !empty($_SESSION['ccdata']['credit_card_code'])) {
$payment_info_details .= 'CVV code: '.$_SESSION['ccdata']['credit_card_code'].'<br />';
}

Just comment or delete these lines.

Please note that in different versions of Virtuemart line numbers can change.

--
Francesco (zanardi)
http://extensions.gibilogic.com
@gibilogic on Twitter

losmarinos3

  • Beginner
  • *
  • Posts: 19
Re: Remove CVV2 from Customer E-Mail Receipt?
« Reply #14 on: March 05, 2011, 15:08:05 pm »
Thank you Francesco,
I was a bit worried after a Customer threaten to Sue me, Sorry for going overboard about it.
Re these lines you are suggesting to delete, Why would the standard Product not come as defaulted to that state.? ie CVV" and expiry date removed from System out going Customer emails