News:

Looking for documentation? Take a look on our wiki

Main Menu

Could someone clarify something for me regarding Credit Card info?

Started by mstookey, October 16, 2006, 17:47:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

mstookey

October 16, 2006, 17:47:08 PM
So if i setup virtuemart & if i get a merchant account with authorizenet... and use the AN payment module... does that mean the CC info does not get stored in my database? I'm on a shared server & hoping i can stay there... I don't want the credit card info there but i"m not sure if virtuemart does that ? Could someone shed some light on that?

also with the above setup should one of the cheap go daddy ssl certificates be ok? This security stuff scares me!

thanks,
marilyn

LongBranchAssociates

#1
October 16, 2006, 20:44:49 PM
When you use Authorioze.net the payment card information resides on the Authorize.net as Authorized and you then change the state for the order in VM [say to shipped] and the payment is captured by Authorize [or you can login to Authorize and Capture the payment manually]

VM also writes the Credit Card details to the MySQL database, including CVV2 or the Code.  Order details and order confirmation emails also expose all the card details.  This is against the Payment Card Industry Data Security Standard and compromises the customers card information

To overcome this we immediately overwrite the CVV2 data as soon as the card is authorized and star out all the card number details with the exception of the last 4 digits, name and expiry date.  This protects the customer yet provides a reference if we need to talk with the customer about the transaction later.  You should do this anyway, shared server or not in case your server gets hacked

To understand the PCI Data Security Requirements go to: https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
An inexpensive SSL is OK

You are absolutely correct in being wary when handling payment card information. With the correct processes and procedures you can be as good as, if not better than the big guys
lba-tech.com::VirtueMart eCommerce Online Stores for Small and Medium size businesses

mstookey

#2
October 31, 2006, 16:02:01 PM
Hi-
Could you clarify this?
"To overcome this we immediately overwrite the CVV2 data as soon as the card is authorized and star out all the card number details with the exception of the last 4 digits, name and expiry date.  This protects the customer yet provides a reference if we need to talk with the customer about the transaction later.  You should do this anyway, shared server or not in case your server gets hacked"

Is that something i need a script for? Do you do consulting? I'd love some help nailing down the final steps in my store & making sure all is ok. I dont' want credit card numbers on our shared server.

thanks.



ekal

#3
December 20, 2006, 00:22:51 AM
Hi Long Branch

Could you explain a bit more about how you overwrite the customer data?
Print
Go Up Pages1
User actions