So if i setup virtuemart & if i get a merchant account with authorizenet... and use the AN payment module... does that mean the CC info does not get stored in my database? I'm on a shared server & hoping i can stay there... I don't want the credit card info there but i"m not sure if virtuemart does that ? Could someone shed some light on that?
also with the above setup should one of the cheap go daddy ssl certificates be ok? This security stuff scares me!
thanks,
marilyn
When you use Authorioze.net the payment card information resides on the Authorize.net as Authorized and you then change the state for the order in VM [say to shipped] and the payment is captured by Authorize [or you can login to Authorize and Capture the payment manually]
VM also writes the Credit Card details to the MySQL database, including CVV2 or the Code. Order details and order confirmation emails also expose all the card details. This is against the Payment Card Industry Data Security Standard and compromises the customers card information
To overcome this we immediately overwrite the CVV2 data as soon as the card is authorized and star out all the card number details with the exception of the last 4 digits, name and expiry date. This protects the customer yet provides a reference if we need to talk with the customer about the transaction later. You should do this anyway, shared server or not in case your server gets hacked
To understand the PCI Data Security Requirements go to: https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
An inexpensive SSL is OK
You are absolutely correct in being wary when handling payment card information. With the correct processes and procedures you can be as good as, if not better than the big guys
Hi-
Could you clarify this?
"To overcome this we immediately overwrite the CVV2 data as soon as the card is authorized and star out all the card number details with the exception of the last 4 digits, name and expiry date. This protects the customer yet provides a reference if we need to talk with the customer about the transaction later. You should do this anyway, shared server or not in case your server gets hacked"
Is that something i need a script for? Do you do consulting? I'd love some help nailing down the final steps in my store & making sure all is ok. I dont' want credit card numbers on our shared server.
thanks.
Hi Long Branch
Could you explain a bit more about how you overwrite the customer data?