Home » Forums » Ubercart » Development
13 replies [Last post]
Wed, 03/11/2009 - 11:21
scorrales
scorrales's picture
Offline
Joined: 02/19/2009
Juice: 29
Was this information Helpful?

I'm working on a module for LinkPoint API and it implements UC's recurring billing module.

What information is being stored when I used uc_recurring? Documentation states that the last four digits are all that's stored and it's encrypted. However, in order to use uc_recurring, the entire CC # would need to be stored. What other information is stored when working with uc_recurring?

Specifically, would CVV or CV2, PIN numbers, Pin blocks, or track 1 or 2 data be stored?

In other words, is uc_recurring PCI compliant?

Top
Wed, 03/11/2009 - 16:39
#1 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Storing Credit Card data

There is a testing mode available with the traditional default recurring handler that is not PCI compliant and is not supposed to be used in a live setting. Each module was originally supposed to implement the recurring APIs for their gateway, but lately there's been some movement to try and make the core handler compatible w/ any gateway's reference transactions... that's pretty vague... but basically, the uc_recurring handler is there for testing and is not PCI compliant. Yours will be compliant if you make it so, i.e. no storing CC data on your end.

Top
Thu, 03/12/2009 - 01:48
#2 View page
scorrales
scorrales's picture
Offline
Joined: 02/19/2009
Juice: 29
Re: Re: Storing Credit Card data

I made an implementation of hook_recurring_fee() that is identical to uc_recurring_recurring_fee(). As long as I'm not in debug mode, I shouldn't be storing any CCV data, correct?

Unfortunately, LinkPoint doesn't support a silent post feature like Authorize.net so I can't use their recurring service. If I'm not storing the CCV, and the CC# is encrypted, that would be PCI compliant, wouldn't it?

Top
Thu, 03/12/2009 - 12:26
#3 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Re: Re: Storing Credit Card data

Not entirely sure... because you'd still need to store the expiration date, I'd venture a guess that it's no bueno. Especially for people in various hosting situations I recommend against it. LinkPoint doesn't have some system to store the CC details on their server and access them via a reference number from Ubercart?

Top
Thu, 03/12/2009 - 15:41
#4 View page
scorrales
scorrales's picture
Offline
Joined: 02/19/2009
Juice: 29
Re: Re: Re: Re: Storing Credit Card data

I just put in my second call to LinkPoint's tech support and the answer is a resounding no. They provide no silent post back URL like Authorize.net's ARB. and they provide no way for UC to query the server and retrieve an update on the status of the periodic billing.

PCI standards say that you need to "protect cardholder data". PCI regulations specifically forbid storing unecrypted CC info, CVV or CVV2, Pin blocks, PIN numbers, and Track 1 or 2 data. None of that is expiration date, though....

Top
Tue, 10/27/2009 - 08:49
#5 View page
elvis2
elvis2's picture
Offline
Joined: 10/27/2009
Juice: 10
Re: Re: Re: Re: Storing Credit Card data

You can do periodic billing with Linkpoint and still remain PCI compliant.

When someone makes a purchase through the linkpoint api gateway, the gateway sends back a transaction id. You can store that id into the database and relate it to the order id. If you need give a credit or charge more to the original transaction, you can push the transaction id back to linkpoint and make the changes to the transaction.

For recurring billing, linkpoint let's you send "periodic" charges. If you keep the transaction id, you can cancel/modify the original periodic transaction, or let your customer cancel it (am thinking membership and user account).

Linkpoint is now called Global Gateway Virtual Terminal, I assume they still have their PHP examples on how to deal with transaction ids and communicating with the linkpoint server.

Top
Tue, 12/08/2009 - 21:28
#6 View page
rl9022
rl9022's picture
Offline
Joined: 12/07/2009
Juice: 20
Re: Re: Re: Re: Re: Storing Credit Card data

@elvis2 - what happens when the credit card expires?

Top
Sat, 12/12/2009 - 21:20
#7 View page
elvis2
elvis2's picture
Offline
Joined: 10/27/2009
Juice: 10
Re: Re: Re: Re: Re: Re: Storing Credit Card data

@rl9022, if you send a recurring transaction with linkpoint, and the credit card expires later, then you will get a fail on linkpoints end. If your email is setup on the admin of linkpoint, they will continue to email you everyday, when they reattempt the card.

Top
Wed, 01/20/2010 - 20:47
#8 View page
robertjd
robertjd's picture
Offline
Joined: 01/20/2010
Juice: 2
Re: Re: Re: Re: Re: Re: Re: Storing Credit Card data

To my understanding of the information here, Ubercart is only storing the last 4 digits of a credit card (unless you are in dev mode), and those 4 digits are encrypted using the key that is setup outside your web root.

First, tell me if my understanding is wrong.

Second, if I am correct in this understanding, is this understanding clearly stated somewhere on the Ubercart website? If it is I have not been able to find it. If it is not, could it be provided? This would allow me to give clients a page to reference for these concerns.

To give an example, CiviCRM has this document on their wiki:

http://wiki.civicrm.org/confluence/display/CRMDOC/CiviContribute+Payment...

Which clearly states under #6,

"CiviCRM does not store any credit card information in the database and does use robust (HTTPS) protocols to receive credit card information"

That is the statement that I need for my clients. I would like to have something similar for Ubercart.

Cheers,
Robert

Top
Fri, 09/25/2009 - 16:23
#9 View page
jaykali@drupal.org
jaykali@drupal.org's picture
Offline
Joined: 12/06/2008
Juice: 31
What is the latest on this?

So do any of the payment module store credit card numbers as of today? If not, then does that mean the uc_recurring module will only work for payment engines like Authorize that allow you to store cc numbers in their system and re-bill with a reference number?

If that's the case I don't understand how the generic credit card driver for uc_recurring would work.

Top
Fri, 09/25/2009 - 16:45
#10 View page
jaykali@drupal.org
jaykali@drupal.org's picture
Offline
Joined: 12/06/2008
Juice: 31
or maybe they do store cc numbers

Or do payment gateways store an encryped cc number in the data field of the uc_orders table? I guess I wasn't aware that they did this, maybe some do and some don't.

Top
Sat, 09/26/2009 - 01:37
#11 View page
univate@drupal.org
univate@drupal.org's picture
Offline
Getting busy with the Ubercode.
Joined: 03/27/2009
Juice: 465
Re: or maybe they do store cc numbers

Storing credit cards comes with other security issues that an ecommerce software application can never handle for you, I have only briefly skimmed the PCI compliance documents myself but when it comes to storing credit card details you need to place attention onto your hosting environment setup, ie: you can't use shared hosting and you need to have firewalls setup. When 90%+ of ubercart users are not aware of these issues it would be irresponsible for ubercart to put people in a position where they could be liable for the storage of credit card details against PCI or their merchant account terms of use.

But if you do now what you are doing and understand the PCI compliance issue it would be very simple for you to to implement your own payment gateway or a replacement for uc_credit that encrypts the credit card details using your own code and stores the details in accordance with the PCI, Ubercart/uc_recurring doesn't distinguish where the details are stored (remote merchant account or your own database), ubercart/uc_recurring just asks a gateway to charge an order and the gateway can do that anyway they like.

In uc_recurring the focus on payment gateways has just been those gateways that provide recurring features and that is what will be supported, but the modules allows you to write your own payment module to manage credit cards yourself if that is what you want to do. But there are many gateways that provide the features we need to just save the credit card details in their system and trigger payments at any time and amount, which means there is often no need to go to the extra effort to manage credit card details yourself.

--
smart web application

Top
Sat, 09/26/2009 - 16:09
#12 View page
jaykali@drupal.org
jaykali@drupal.org's picture
Offline
Joined: 12/06/2008
Juice: 31
so authorize doesnt store credit card numbers?

i cant seem to get a straight answer it seems. i am using arb/cim which i know dont need to store cc numbers bc they keep that data in authorize but does the authorize module not store the cc number encrypted, otherwise what is the point of the keys file?

Top
Sun, 09/27/2009 - 11:15
#13 View page
univate@drupal.org
univate@drupal.org's picture
Offline
Getting busy with the Ubercode.
Joined: 03/27/2009
Juice: 465
Re: so authorize doesnt store credit card numbers?

The only gateway that saves credit card details is the test_gateway with the debug mode enabled.

The keys file is to allow the cc_data to be encrypted and saved temporarily between submit and review checkout pages and for that test_gateway.

My short answer to you is if you do not know what PCI compliance is (https://www.pcisecuritystandards.org), then don't even consider storing credit card details yourself, use a gateway that provides this facilities to store them for you.

--
smart web application

Top