Last Four of Credit Card in Invoice Emails

geckoday · #11 08-05-2009, 05:25 AM

Quote:

Originally Posted by rshandel

Is it PCI compliant if we only store the last 4 digits of the credit card number?

Yes, if you truncate the card number to the last 4 digits it is no longer considered a card number and you can store it. print it, etc. without worrying about PCI requirements.

rshandel · #12 08-05-2009, 05:46 AM

ok, thanks Ralph. Can you tell me which php file I can modify the cc number is before its being written to the db?

geckoday · #13 08-05-2009, 06:02 AM

Near the top of payment/payment_ccend.php is the code that stores the cc number.

geckoday · #14 08-05-2009, 06:24 AM

Quote:

Originally Posted by geckoday

Near the top of payment/payment_ccend.php is the code that stores the cc number.

Sorry, that is where it is stored in the customer table. payment/payment_cc.php stores it in the order. Search for store_cc to find the spot in the code that stores it.

rshandel · #15 08-06-2009, 06:53 AM

Thanks again, Ralph. I had modified that file already but didn't seem to write the "new card number":

$blank_card_number="1234";
if ($store_cc) {
$query_data = array(
"card_name" => $card_name,
"card_type" => $card_type,
#rs - blank out credit number in database
"card_number" => addslashes(text_crypt($blank_card_number)),
#"card_number" => addslashes(text_crypt($card_number)),
#/rs

Will this only rewrite using a gateway, i.e. authorize.net or will it also write the card number here when using credit credit manual payment method?

Also you mentioned payment/payment_ccend.php stores the cc number in the customer table as well; in order to be fully compliant, should I modify the cc code in this file as well? - I had also modified this file (same code as above) as well to no avail.... but haven't tried to process an order within our authorize.net gateway.

rshandel · #16 08-06-2009, 09:15 AM

I double-checked using our authorize.net payment gateway and its still writing the complete credit card number. Could X-Cart possibly be writing the cc number to mysql somewhere else??

geckoday · #17 08-06-2009, 10:34 AM

Yeah, I forgot about the goofy way the credit card number storage is done in 4.1. The spot you modified in payment_cc.php is for storing the cc number into the customer table for manual credit card processing. There is similar code in payment_ccend.php for storing the cc number into the customer table for gateway transactions. You should modify both.

The saving of the cc info into the orders table is the goofy part. This code in payment_cc.php is what does that:

PHP Code:


		
			
$_order_details_rval = array();
foreach (func_order_details_fields() as $_details_field => $_field_label) {
    if (isset($GLOBALS[$_details_field])) {
        $_order_details_rval[] = $_field_label.": ".stripslashes($GLOBALS[$_details_field]);
    }
}

It builds the order_details column for the orders table using the fields defined in func_order_details_fields. It would probably be best to modify $card_number to what you want stored in the orders table before this code and restore it afterwards to avoid problems elsewhere.

rshandel · #18 08-06-2009, 03:00 PM

Quote:

It would probably be best to modify $card_number to what you want stored in the orders table before this code and restore it afterwards to avoid problems elsewhere.

Thanks Ralph. Working in CC Manual mode right now. I now see that I can modify and write the last 4 digits to the customers table, but I'm having troubles with the code to modify card_number in the orders table.

This is what I have ...

Code:

#
# Make order details
#
$_order_details_rval = array();
foreach (func_order_details_fields() as $_details_field => $_field_label) {
    if (isset($GLOBALS[$_details_field])) {
        if ($_field_label eq "Card number") {
            $store_card_number=$card_number;
            $card_number = substr($card_number,-4);
            $_details_field = $card_number;
        }
        $_order_details_rval[] = $_field_label.": ".stripslashes($GLOBALS[$_details_field]);
    }
}
$card_number = $store_card_number;

thanks.

geckoday · #19 08-06-2009, 05:51 PM

Your if is testing the wrong variable/value. But just make life easier and move the code above the foreach loop and get rid of the if.

rshandel · #20 08-07-2009, 07:38 AM

Thanks Ralph! That was it. I tested for both manual and gateway processing and it works fine.

Thanks again for your help!