The credit card settings fieldset on the payment methods tab is quite extensive and may be a little confusing at first. Use this document to wade your way through the settings to arrive at the proper setup for your needs.
Credit card fields
Use these checkboxes to specify what type of information you need to collect during checkout. Consult your payment processor or gateway documentation to see if any of these fields are required for you to process cards.
Accepted card types
As the help text suggests, you should use the checkboxes to specify which icons get shown on the "Credit card" radio select in the payment method selection options at checkout. These selections will also be used for credit card number validation if it is enabled. The text area is used to add options to the card type select box that may be enabled. This is left for you to manually configure in case your store wants to represent card names differently or add card types not included in the checkboxes.
Customer messages
These fields are self-explanatory and come with default messages that may serve you just fine. Change them to include links or other information if you wish, but remember it's good to either keep your customers in the checkout process or on the phone with you!
Checkout workflow
These options or for automated validation and processing of credit cards during checkout. If you choose to validate numbers, when a customer tries to review an order with an invalid number, they will not be allowed to proceed and will see an error message indicating their card number is incorrect. If you're curious how we do that, check out this article. The second checkbox lets you attempt to process cards during checkout when a customer clicks the submit order button from the review page. If the charge or authorization fails, an error message will be displayed and checkout won't complete. Otherwise the card will be processed and payment entered if necessary. It is helpful to use this setting in conjunction with the option below to not store card data after checkout for maximum security.
Security is extremely important for website handling customer credit card data. You should be as careful as possible in the way you protect the data to prevent credit card fraud. Please be sure you are selecting the right options, as some choices may decrease the security of credit card data on your website and should be avoided if at all possible.
First of all, if you do not need to store credit card data past checkout, check the first checkbox. This may not be possible for companies that process cards manually need to be able to review orders after checkout before running cards. Not storing card data at all is the best way to keep it from falling into the wrong hands!
Next, to configure the encryption settings for card data that is stored in the database, use the filepath textfield. Here you need to specify a folder that is outside of your document root (i.e. not in your www or public_html directory) where the module can create a key file to encrypt the information. You will need to grant permissions on the folder that allow Drupal to write to it. Relative paths will be resolved relative to the Drupal installation directory. This directory should not be the same as your site's files directory for security reasons. Further, once you have set this setting, you should leave it set for the life of your store. If this is changed, the module will no longer be able to decrypt old credit card data! Once you set this and the key file is created, you can open it up and change the random key to a custom key before receiving any credit cards if you prefer. Setting up encryption is highly recommended for sites that will be storing credit card information for any length of time. This includes those who have decided not to store credit card details after checkout, as some information may be retained in the database for orders in the checkout process. Don't leave that data unprotected!
Note: Encryption settings are ideally set before receiving any orders. If you do it after the fact, be sure to click the link on the warning message that shows up to encrypt your existing credit card data. Once you do this, you won't be able to do it again. If you accidentally browse away from the page before encrypting existing data, just browse to /admin/store/payment/cc_encrypt to see the form again.
Finally, you can also adjust the credit card masking settings. This simply allows you to restrict who sees full card numbers. Ideally, masking would be left on for all users of the site, but it is possible in the access control settings for you to designate roles that can view whole CC numbers.
Stored data clearing
These fields allow you to wipe credit card data out of the database when orders reach a certain age. Use this to protect your customers from fraud by wiping all their data clean once the order is complete. For maximum security, you should use the settings mentioned above to not store credit card data after checkout and set these fields to wipe data for "In checkout" orders after 1 hour.
