my client doesn't want to process card data automatically but rather later for whatever business reason.
apparently their old cart, cart32 could store card data as pending. i looked up c32 and they were using public key encryption like ubercart. i've been reading that this isn't recommended but can be done in debug mode. i have the site set up like that when i test it it says the card has already been charged which i'm guessing is the testing gateways way of saying it would have worked had an actual gateway been emplemented. how does this work? i need to explain it to their secretary.
Thu, 12/11/2008 - 17:40
Re: using credit card payment debug mode for card data storage (
I would like information on this as well.
Re: Re: using credit card payment debug mode for card data stora
I'm no expert, but I believe that by doing that you aren't PCI compliant, so in order to, you'll have to roll your own, without any official blessing, because at that point I think you make yourself liable for any fraud cases.
Hopefully someone can elaborate...
Re: using credit card payment debug mode for card data storage (
the ability to do this is obviously in demand. lets figure out how storing ccard data somewhere (not necessarily a drupal db) can be made to be standards compliant.
Re: using credit card payment debug mode for card data storage (
I believe that Ryan said that you can still be in compliance if your server has a firewall, it has an SSL connection, and you have made your pages secure.
Many companies out there submit their own credit card #'s to their bank via telephone, and it does not cost them a per transaction fee, high monthly fee, or a setup fee like these online payment gateways charge.
There must be a way to accept credit cards and continue with business as usual for these companies without the requirement of using an online payment gateway.
Re: Re: using credit card payment debug mode for card data stora
Here is what Visa requires to store card info and be PCI compliant.
http://usa.visa.com/merchants/risk_management/cisp_overview.html
Part of that is filling out this compliance audit which provides about 40 pages of more detailed qualifications to meet if you'd like to store credit card numbers in PCI compliance,
https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf
And according to Visa, "Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident."
You should weigh the cost of transaction fees vs. the cost of meeting PCI compliance vs. the cost of fines if problems occur and you are not compliant.
Re: Re: Re: using credit card payment debug mode for card data s
there are shopping carts out there that allow the storage of ccard numbers yet are still pci compliant. i'm not sure how, but cart32 apparently has a local client that connects to their secure "pci compliant underground data center". i believe cart32 uses icverify for a payment gateway... the guy that owns the place doesn't seem to understand why he cant go on using c32 with drupal.
ANYHOO
right now my client's website (which btw is ssl) is using the testing gateway (not in debug mode) and then they are calling customers to get credit card numbers, even though as far as the customers are concerned they already submitted their card info. does anyone know of a way to just get rid of the credit card form all together while still sending the rest of the order info to the database and not generating a bunch of error messages??
Re: Re: Re: Re: using credit card payment debug mode for card da
You could probably activate the Payment Method Pack module, set up COD as the only payment method and then use the string overrides module to replace 'COD', 'cash on delivery', and 'Full payment is expected upon delivery or prior to pick-up.' and any other strings generated by the payment method with terms more suitable to your situation. Certainly hacky, but might do the trick. A better but lengthier approach would be pulling the COD code from uc_payment_pack into your own module and setting up a payment method module like uc_credit_by_phone.