Were you able to find any help with this? I would like to be able to use my current merchant acct and run cards manually. I have paid for a secure certificate, and would like for a customer to be able to enter the card number at time of order, encrypt it, and then after I process the order delete the information. I know some other cart systems had options to do this, but I'm not sure how to accomplish this with C5 ecommerce.

Hi,
nobody answered so far.
Let me know if you are more lucky.


THX

Whilst you may have a secure certificate, how secure is your server?

To create an analogy, suppose I want to send you some money. So I order an armoured security truck and guards (secure cert). They come to my house and collect the money, but they cant take it directly to you, so they take it to the mall and leave it in a cardboard box in a corner of the car park. A few hours later, you are ready for the money, so you order up another armoured security truck and collect the box from of money from the pile of boxes that various people have left for you in the car park.

You and I both think we are safe sending money, because all we see is the armoured security trucks. But the money is actually left for several hours in a corner of the mall car park that is becoming well known as a parking place for money.

So, is your web server a corner of the mall car park? Or is it a bank vault or safe in your own office? Who has access to it, both physical and over the web? Who do you trust to have access to all those credit card numbers? What happens to backup data (which also has the numbers in it)?

Creating a payment add-on that can ask for credit card numbers is fairly straight forward. Its just a form on an https page. As is providing a means for you to read them back later. But if you are storing them on a server at a typical ISP on a shared hosting plan, who are you kidding?

I understand what you are saying in regards to storing the information, and was not sure if it would be possible to have that field encrypted so it wouldn't be available or readable to anyone without the encryption key. I'm not sure if that's actually possible. Since I already accept credit cards in the shop and on the phone, I was just wanting to avoid having to pay for yet another cc processing company to handle the website sales. We also sell on a few well known and trusted music selling sites that allow approved/verified merchant account holders sellers to list either books or records for sale, on these sites the customer makes the order and we then login to our admin panel on that site, and are able to run the credit card directly in our shop by punching in the numbers on our machine. Since we sell a lot internationally as well as have orders that are often mixed media we prefer to list a shipping estimate and then adjust the final cost based on the actual shipping charge. Usually it is adjusted down, but on some orders it has to be adjusted up, this is the main reason that processing on our machine is preferred, as authorize.net does not allow adjustment of the price. If you have any suggestions on how we can make our ordering process secure, as well as address the issue we are having with adjusting the final price I would love to hear them.

Hi JohntheFish,

good point.
I know a shopping cart company that is actually able to store the info securely and handle the order process: Mal's Ecommerce at
https://www.mals-e.com/index.php....
Are you able to write a plugin for that?

Thanks!

Thehttp://www.concrete5.org/marketplace/addons/paypal-cart-buttons/... add-on does pretty much what mals-e.com describes, but using the PayPal cart.
(I have not used it).

This looks like your choice of payment processors is PayPal only, correct?
Mal's allows several payment processors or collect CC data only.

Thx

Either way in order to process a credit card you have to have a gateway to funnel through. There are also procedures and requirements you have to meet when you store credit card data, take it over the phone, etc. If you are not doing this correctly and have the proper key aspects in place, you may be violating Mastercard/Visa, Amex, Discover, etc agreements. This could also become a very costly problem.

I do work for alot of financial companies, their core processors and even worked for a bank for a decade. I am all too aware of merchant processing and what could go wrong. Running a company of my own I have had to do alot of things to take credit cards to process them outside of companies like Paypal. We are talking Lawyers, agreements, liability insurance and on and on.

With that said, keep in mind, if you key CC info, your rates are higher because your risks of chargebacks and fraud are higher. Another thing is you HAVE to be completely PCI compliant when taking and/or storing CC info on any website.All it takes is a breach of info on a card holder that processed through you (whether you were the cause of the breach or not) for your to start being looked at and if you can't provide the info they need for their investigation, your looking at major fines that could ruin you as a sole prop or even a corporation.

My advice as a consultant, be sure all your angles are covered. This is not to discourage you but before you pay a developer to write something like this, make sure your liability is as minimal as possible. My other advice, its sometimes easier to just use a company like Paypal or your clients merchant processor as the gateway and keep all data off your or your clients servers.

Thanks, Nornik.

Mal's is definitely PCI compliant. That's why I would use it.
Maybe I should start a new thread with a different headline.

Thx

Actually, and I'm just being straight forward here, they themselves are not PCI compliant per se because they do not hold data or process data themselves. They offer a PCI compliance account with MacAfee but I believe that is just the certification. Where the data is stored, how its stores, who processes it and how is what PCI compliance is all about. The Cert means nothing if the proper steps are in place. Its just like the basic SSL Certs, anyone can get one cheap, easy, fast and without a verification process. But if you want the best available you pay more, it takes longer and there is a somewhat heavy verification process.

You may have dealt with PCI compliance before but if you have not, there is alot more to it than what some companies tell you on the Internet.

Just be sure to look into that thoroughly. I glanced abit but didn't see much information available without having to sign up first. Thats usually a red flag to me. Not knocking them at all, just always leery.

Best of luck.

I'll take a closer look.
BTW they do store data.

Thx

Ahh so they do, sorry, oversight on my part. In that case, look into what logs about your transactions they are willing to share in the event of a breach investigation, how they handle breach investigations and such. Also, since they retain the data, make sure they are responsible and you and your clients are not held responsible (should be in terms and agreements).

Will do, thanks.
Do you know any other PCI/bullet proof alternative?

Thx

nice information from all of you!

<a href="http://www.laugh-islife.blogspot.com/">Comedy Videos</a>

nice information from all of you!

watch comedy videos atwww.www.laugh-islife.blogspot.com...

watch comedy videos atwww.www.laugh-islife.blogspot.com...

Is there a solution posted here? I would like to have the cc form email direct, possibly stored securely

No solution. By the way , emailing credit card credentials is a no no.
Storing the cvv code also.

On 12/23/2012 12:21 AM, concrete5 Community wrote: