X-Cart forums

[ecommerce]

money,

are we setting ourselves for problems by storing the cc in the database?

also, i hear cc companies like visa and master card have policies so that ecommerce merchants dont store cc on the database.

whats ur info /opinion on that?

[hues]

Quote:

Not sure I understand your question? Are you asking if you can mask the CC # within the database?? (e.g. Not store the entire CC # ? )

Yes I dont want complete CC # to be stored in the database.

When an order is processed, though the CC info is not sent to the customer, it appears on the order detail section in the admin.

Any one, including the fulfillment staff who will be handling the order management will have access to the cc information of the customers, which is not right. I need to mask the cc# for increasing security at my site.

If I change the

Code:

$store_cc = true;

to

Code:

$store_cc = false;

then this mod does not work, because obviously it has to pick up the cc# from the database.

I want to be able to store the cc # just like it appears on the invoice, with the type of the card and the last 4 digits visible and rest of the digits masked.

[moneysaver67]

Quote:

Originally Posted by ecommerce

money,

are we setting ourselves for problems by storing the cc in the database?

also, i hear cc companies like visa and master card have policies so that ecommerce merchants dont store cc on the database.

whats ur info /opinion on that?

I actually used to work for a major CC company headquarters as their marketing business technology liaison/developer, so there definitely are some strict rules implied by the FDIC.

It is my understanding that you cannot store CVV2 code, and that if you do store CC #, Exp date, etc that it is to be secure and encrypted. I am not informed of the policies mentioned above, though I do not doubt their existence.

The biggest set up for problems is not taking the proper precautions to secure the data, whether it's a phone #, address or the entire U.S. databank of Social Security numbers.

For x-cart, your options are limited, but the fact remains you have Options, like:

• Password protect your /admin directory using .htaccess user authentication

• Delete the 'master' account, creating a new/unique administrator profile preventing/limiting potential hack attempts.

• Use a complex password containg alphanumeric characters and symbols, with varying case: nP3{cx!/Y5

• For older x-cart versions (< 4.1) you can modify the default sALT key, etc used in the encoding process of the x-cart system.

• etc

[moneysaver67]

Quote:

Originally Posted by hues

I want to be able to store the cc # just like it appears on the invoice, with the type of the card and the last 4 digits visible and rest of the digits masked.

If there's a will, there's a way

A quick review of the checkout process and order tables update should provide a means for masking the CC # going in, rather than just coming out. If you masked correctly, this mod would most likely still work, as it pulls based on the Label defined in the details section, and would simply "re-mask"

[btomasie]

Thanks so much for this!!! Nothing like a quick 10-sec. copy-and-paste to solve a huge thing that most customers want to see on their invoices!!!

Many thanks,
Brian

[virtual@croatia]

Thanks for saving my time. Here is the code for 4.1.17 version, which is much shorter and simpler:

Code:

{assign var="paren" value=$order.payment_method|strpos:' ('}
{assign var="paymentMethod" value=$order.payment_method|substr:0:$paren}
{if $order.payment_method eq 'Credit Card'}
    {php}
    global $order;
    #
    # Custom function by moneysaver67
    # Parse out the info after a given label
    #
    if( !function_exists( 'parseAfterLabel' ) )
    {
        function parseAfterLabel( $label, $details )
        {
            // Force to one line
            $details = preg_replace( '/\n/',' ', $details );

            if( !stristr( $details, $label ) )
            {    
                $return = '';
            }
            else
            {            
                $pattern = '/^.*'.$label.'\s{0,}(.*)\s{0,}.*$/';
                $chunk = preg_replace( $pattern, '${1}', $details );

                // return everything prior to first space (auth code)
                $return = substr( $chunk, 0, strpos( $chunk, ' ' ) );        
            }
            return $return;
        }            
    }    
    
    // Do you store CC info in the details column?
    if( $GLOBALS[store_cc] )
    {
        $cc_type = parseAfterLabel( '{CardType}:', $order["details"]);
        $cc_num = parseAfterLabel( '{CardNumber}:', $order["details"]);
        $cc_mask = str_repeat( 'x', strlen( $cc_num ) );
        $cc_mask = substr( $cc_mask, 0, strlen( $cc_mask ) -4 ) . substr( $cc_num, -4, 4 );
        if (!empty($cc_type) || !empty($cc_mask))
            echo (': ' .$cc_type. ' ' . $cc_mask);
    }
    {/php}
{/if}