Jump to content

Need Offline Credit Card Gateway

m0hamedessam

By m0hamedessam
in Extensions

 Share

Recommended Posts

xison Newbie

xison

Posted
Posted

The problem falls with PCI-DSS Compliance rules & regs.

While I know you do not need the CVC (Card Verification Code) for this type of payment, it is still always best not to store card information locally. Even with public/private key encryption, it still is a risk that should be considered.

I know the Blesta team is very cautious when it comes to security, but I still think they may not want to develop it.

m0hamedessam Newbie

m0hamedessam

Posted
  • Author
Posted

The problem falls with PCI-DSS Compliance rules & regs.

While I know you do not need the CVC (Card Verification Code) for this type of payment, it is still always best not to store card information locally. Even with public/private key encryption, it still is a risk that should be considered.

I know the Blesta team is very cautious when it comes to security, but I still think they may not want to develop it.

 

 

The credit card information is split into 2 parts, one is sent to your email while the other is saved in the store. The version that is saved in the store is MCRYPT_RIJNDAEL_256 and base64 using a 40 character randomly generated key that is md5 hashed.

 

Compliance Mode:

- Cardholder name, Card Type, Exp Date are stored in Database

- Card number stored in database like this: xxxx42526325xxxx (and encrypted)

- First and Last 4 (or 3 for Amex) are sent via email to the store owner email like this: 4242xxxxxxxx4563

- CVV is emailed but not stored in the database

- Cardholder name is NOT sent with the email

Cody Newbie

Cody

Posted
Posted

The credit card information is split into 2 parts, one is sent to your email while the other is saved in the store. The version that is saved in the store is MCRYPT_RIJNDAEL_256 and base64 using a 40 character randomly generated key that is md5 hashed.

 

Compliance Mode:

- Cardholder name, Card Type, Exp Date are stored in Database

- Card number stored in database like this: xxxx42526325xxxx (and encrypted)

- First and Last 4 (or 3 for Amex) are sent via email to the store owner email like this: 4242xxxxxxxx4563

- CVV is emailed but not stored in the database

- Cardholder name is NOT sent with the email

 

Mastercard/Visa rules are clear that the CVV may not be stored in any form. Sending the CVV over email is storing as the message is sent to a mail server where it is retained. Moreover, sending any card data over email is extremely insecure, especially in plain-text.

 

All that's needed to process a card in most instances is the number, expiration date, and CVV. If the email contained the CVV, and 8-digits of the card number, it's entirely possible to guess the expiration date and the other 8 digits, as the first four digits tell you the card type and the Luhn alogrithm narrows it down significantly.

 

PCI also states that any portion of the card number stored must be encrypted. This includes the last four digits as well, so again, sending that in plain-text over email is a big no-no.

Cody Newbie

Cody

Posted
Posted

I suppose a payment gateway could be greated that prenteded to process a card, but instead sent an email to a staff member to notify them of a manual payment being required. The staff member would need to log into Blesta to view the card details. The CVV would, obviously, not be available at that point. If CVV is required the only logical solution is to either process payment with customer on the phone, in person, or via an online payment gateway.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...