Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 2
Showing the full credit card
 
the311guy
Sr. Member
 
Avatar
Total Posts:  120
Joined:  2007-10-18
 

Is it a good idea to show the customers full credit card number in their confirmation email?  Also showing the full credit card in the admin section?

Seems a little insecure..  I would be a little worried if a company sent me my entire credit card number

 
Magento Community Magento Community
Magento Community
Magento Community
 
i960
Guru
 
Avatar
Total Posts:  633
Joined:  2007-10-01
Bakersfield, CA
 

Not a good idea at all.  Emails are not in any way secure, both during the send and after it arrives on the customers computer.  I wouldn’t show it in Admin either.  Ideally the merchant should never know the credit card number, for security and privacy reasons.  Most customers would expect that their number is never actually revealed to a human at any point during the transaction.  The obvious exception to this would be a phone order, where a customer willingly gives their number to a person.

Does Magento actually do this?  I haven’t gone that far in my testing yet.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Travis
Sr. Member
 
Avatar
Total Posts:  125
Joined:  2007-08-31
 

They’re fixing this as we speak.  Mentioned in another thread.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Moshe
Magento Team
 
Avatar
Total Posts:  1770
Joined:  2007-08-07
Los Angeles
 

For fast fix, please replace in app/code/core/Mage/Payment/Block/Info/Cc.php

$this->setTemplate('payment/info/ccsave.phtml');
with
$this->setTemplate('payment/info/cc.phtml');
 
Magento Community Magento Community
Magento Community
Magento Community
 
_henry_
Jr. Member
 
Total Posts:  14
Joined:  2008-01-08
 

The info are still stored in the DB! how should I proceed to to avoid that ?

thx

 
Magento Community Magento Community
Magento Community
Magento Community
 
evdat
Member
 
Avatar
Total Posts:  35
Joined:  2008-02-28
Carthage, MO
 

@_henry_

I’m running (Magento ver. 0.8.17240) on my test server.

I just entered an order via my test Magento site using the saved credit card payment method. It saved detail record information about the order in the sales_order_entity table and there are no fields in that table that display the credit card number in plain text. There is however a record for attribute_id 367 that has encrypted data, and I referenced attribute_id 367 in the eav_attribute table and it is the field for cc_number_enc. So it appears to be “storing” the credit card data in the database in an encrypted form. I haven’t looked to see what encryption method it uses or anything, but it is stored encrypted. I would imagine the “Saved CC” payment method is primarily for demonstration and testing purposes, as most merchants would rather use a payment processor for instant feedback and secure transaction processing.

If you are going to process credit cart transactions using Magento I highly recomend using a payment processor like PayPal to process the credit card transactions. Using a payment processor means that the credit card information is not stored on your server anywhere, and the payment processor will give you instant feedback to you know the card is valid and has the available credit for the transaction prior to receiving the order into the system.

_henry_ if you do not have the latest version of Magento installed I recommend updating to the newer build as some things might have changed since the previous builds.

 
Magento Community Magento Community
Magento Community
Magento Community
 
_henry_
Jr. Member
 
Total Posts:  14
Joined:  2008-01-08
 

Thank you for your answer,

I am using an older version of magento and also use a payment system such as paypal… that’s why there is no reason to keep (even encrypted) the CC number. I was wondering if the encryption key was common to all magento vesions or if this key is generated at the installation ?

smile waiting for a stable release documented smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
Otaugames
Sr. Member
 
Total Posts:  101
Joined:  2007-10-07
Troyes, France
 

The encryption key is different for each Magento install. If you try to install a second Magento, you will get another key for this new install.

 
Magento Community Magento Community
Magento Community
Magento Community
 
_henry_
Jr. Member
 
Total Posts:  14
Joined:  2008-01-08
 

Thank you for your precision, this is the answer I was expecting smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
Tim [at] Sprout
Jr. Member
 
Avatar
Total Posts:  8
Joined:  2008-03-09
Orange County, CA
 

Who decided that removing any form of saving the CC’s (Except for the Saved Credit Card Payment Method) was a good idea?

It’s important that we balance security with usability. If CC data is not stored in the DB how will you process subsequent transactions related to an order through the Magento Admin Interface? How will you process a credit against an order if you don’t have the CC data to do it? Logging into your Credit Card Merchant Interface is not the answer.

So I suggest we re-evaluate this decision and at the very least make it a configurable option in the Admin to save CC information or not. Of course it should always be encrypted and having a configurable number of days before purging would be ideal. This way a merchant can decide what is best for their store, not be forced into a business workflow dictated by developers, other store owners, etc.

So to recap....

Configurable settings in Admin for “Save / Not Save” CC information and “Number of Days to save CC date before purging from DB”.

 
Magento Community Magento Community
Magento Community
Magento Community
 
zadpro
Sr. Member
 
Avatar
Total Posts:  247
Joined:  2007-12-10
FL, USA
 
Tim [at><p> Sprout” date= -

It’s important that we balance security with usability. If CC data is not stored in the DB how will you process subsequent transactions related to an order through the Magento Admin Interface? How will you process a credit against an order if you don’t have the CC data to do it? Logging into your Credit Card Merchant Interface is not the answer.

So I suggest we re-evaluate this decision and at the very least make it a configurable option in the Admin to save CC information or not. Of course it should always be encrypted and having a configurable number of days before purging would be ideal. This way a merchant can decide what is best for their store, not be forced into a business workflow dictated by developers, other store owners, etc.

So to recap....

Configurable settings in Admin for “Save / Not Save” CC information and “Number of Days to save CC date before purging from DB”.

Excellent suggestion.

 
Magento Community Magento Community
Magento Community
Magento Community
 
MassDigitalMedia
Sr. Member
 
Avatar
Total Posts:  83
Joined:  2009-02-19
Leominster, MA
 
Tim [at><p> Sprout” date= -

It’s important that we balance security with usability. If CC data is not stored in the DB how will you process subsequent transactions related to an order through the Magento Admin Interface? How will you process a credit against an order if you don’t have the CC data to do it? Logging into your Credit Card Merchant Interface is not the answer.

So I suggest we re-evaluate this decision and at the very least make it a configurable option in the Admin to save CC information or not. Of course it should always be encrypted and having a configurable number of days before purging would be ideal. This way a merchant can decide what is best for their store, not be forced into a business workflow dictated by developers, other store owners, etc.

So to recap....

Configurable settings in Admin for “Save / Not Save” CC information and “Number of Days to save CC date before purging from DB”.

Have you figured out a solution to this? Our customers do not want to have to re-enter their CC info every time they place an order. Of course, we give the option to those that do, but Magento is not cooperating like our current site does.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ayasoftware
Jr. Member
 
Avatar
Total Posts:  21
Joined:  2009-06-02
 

Hello,
If you still have problem with this.
We have released a new module that automatically deletes credit card numbers stored in magento database.

Solution here

Let me know if you need any help.
Regards.

 
Magento Community Magento Community
Magento Community
Magento Community
 
abirdd
Jr. Member
 
Total Posts:  20
Joined:  2009-08-31
Canada
 

If anyone is still trying to solve this issue, I could not find ANY help ( Except for paying 100 bucks for a module) so I just built my own.  http://store.abirdd.com/creditcard/magento-credit-card-purger.html $20 bucks for life, includes updates / fixes / help

It is a formal module which runs with the magento CRON feature. default setup is to purge credit cards from completed orders hourly, I also have a page which would run the purge immediatly (for example if you do not have cron setup).

Let me know if you have any questions.

Derek

 
Magento Community Magento Community
Magento Community
Magento Community
 
tonyshanks
Jr. Member
 
Total Posts:  4
Joined:  2010-02-22
 

I am lost. If you are not using a third-party service, and you are handling order fulfillment through Magento only, how can you bill if you can’t see the Credit Card? It appears that Guests’ credit cards show up in the DB, but anyone who registers, it strips their card info. Am I missing something?

 
Magento Community Magento Community
Magento Community
Magento Community
 
tonyshanks
Jr. Member
 
Total Posts:  4
Joined:  2010-02-22
 

If a user is a registered user, then the CC shows up blank. This is a BIG BUG. Help!!!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 2