Home » Forums » Ubercart » Support

How to not sure CVV in RC4?

Submitted by kerunt on Fri, 07/25/2008 - 14:22
kerunt
Posts: 67
 Joined: 05/05/2008
Bug Finder

Hi all,

We're using the RC4 of Ubercart for our site...

As per the "Payment Card Industry (PCI) Data Security Standard," we can't store the customers' CCV numbers, but unless I'm mistaken RC4 does store the CVV number. We're using the subscriptions module for recurring billing, and the PayFlo Pro service from PayPal.

Is the CVV required for PayFlow Pro? I see it being sent as part of the XML data in uc_payflowpro.module (line 1115), but I can't seem to find any info on whether it's actually required or not.

Can anyone suggest a workaround?

If the field's value is not actually being validated by PayPal, I was thinking about pre-populating the CVV field with some dummy data (say '000') and hiding it using CSS... Thoughts?
permalink #1 Fri, 07/25/2008 - 14:43
kerunt
Posts: 67
 Joined: 05/05/2008
Bug Finder

According to the PayflowPro_Guide.pdf (page 27), the CVV field is NOT required, so I should be able to do what I mentioned above and just remove the data from the XML?

//edit
And the title of the thread was supposed to be "How to not **STORE** CVV in RC4?"

permalink #2 Fri, 07/25/2008 - 15:02
Ryan

Posts: 4695
 Joined: 08/07/2007
AdministratorHead Code Monkey - I eat bugs.

Is there any reason you can't update to 1.0? Do it on a test database just to make sure, but it shouldn't break anything.

Also, to remove the data from the XML you might have to take the line out of the module. However, I wonder if it would just ignore it if the field was empty. Puzzled

permalink #3 Fri, 07/25/2008 - 15:30
kerunt
Posts: 67
 Joined: 05/05/2008
Bug Finder

Hi Ryan,

Thanks for your reply.

If the field is empty the checkout does not validate. I would love to be using the 1.0 release, but this project has been in development for over 7 months, and was worked on by a number of developers who had no prior Drupal experience, which resulted in a considerable number of "hacks" throughout core and contributed modules. I did the majority of Ubercart development (well, most of other stuff, too), but am also guilty of doing large amounts of hacking to the module, as we have very specific requirements and at the time there were no contrib modules to provide the functionality we needed. We figured it would be quicker to add a few small hacks rather than writing a module for each modification (of which there are a *LOT*), but in hindsight it would have been much better to do everything "properly" via modules/theme overrides.

In summary, major hackage killed the upgrade path.

We were actually considering waiting for the 1.0 release, but since we had no guaranteed ETA we decided to use what we had access to at the time.

---

I just did the following:

- in uc_payflowpro.module, I removed the line <CVNum>' . $order->payment_details['cc_cvv'] . '</CVNum> from the XML
- in uc_credit.module, I
* commented out:

<?php
if (variable_get('uc_credit_bank_enabled', FALSE)) {
        $review[] = array('title' => t('Issuing Bank'), 'data' => check_plain($arg1->payment_details['cc_bank']));
      }
?>

around line 360, which removes the CVV info from the review order page
* added style="display: none;" to the <tr> which displays the CVV field/info on the order page (around line 812)
* set '#default_value' to '000' for the actual CVV field around line 747

From first glance this seems to work - orders are being created properly. Will have to do actual "live" testing once we get some other things in place...