Magento Forum

   
Does Magento save Credit Card numbers for customers? 
 
Lance Monotone
Member
 
Avatar
Total Posts:  63
Joined:  2008-04-16
North Adams, MA. 01247
 

I know they can be captured in the DB, but can they be saved as a payment method so the customer doesn’t have to enter them every time?

 
Magento Community Magento Community
Magento Community
Magento Community
 
alistek
Sr. Member
 
Total Posts:  293
Joined:  2008-04-02
Normal, IL
 

Not currently.  They are only saved in the database if you use the Save CC payment method but that is more for backend offline credit processing.  If you mean saving the numbers as a credit card on file it doesn’t exist currently.

-Adam

 
Magento Community Magento Community
Magento Community
Magento Community
 
Lance Monotone
Member
 
Avatar
Total Posts:  63
Joined:  2008-04-16
North Adams, MA. 01247
 

Thanks for the quick response, Adam.  Do you know if that is an upcoming feature?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Lance Monotone
Member
 
Avatar
Total Posts:  63
Joined:  2008-04-16
North Adams, MA. 01247
 

I’m sorry, I don’t buy that.  Big companies like Cingular and TimeWarner do it.  Why shouldn’t I?  Besides, the numbers are already being stored in the database for saved CC transactions.  Why not make them available to the customers?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Lance Monotone
Member
 
Avatar
Total Posts:  63
Joined:  2008-04-16
North Adams, MA. 01247
 

I find you condescending and a little rude.  Heres my credit card number.  If you can decrypt it you can use it.

ZHXqdJaECfdGVs7F1bmN+w==

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial
Enthusiast
 
Avatar
Total Posts:  770
Joined:  2007-11-07
Phoenix, AZ
 
Ron Seigel - 05 June 2008 04:52 PM

Saving a customers cc info is a horrible idea

No it’s not. Saving a customer’s CVV, however, is a bad idea, not to mention illegal.

Companies like Amazon do it so you don’t have to type in your card number every single time you purchase something.

We do it as a hosting company for recurring billing. The important part is that the card number is encrypted, hence the encryption key Magento generates.

Ron Seigel - 05 June 2008 04:52 PM

What happens if your site is hacked and this “saved” info compromised? Are you willing to pay the HUGE fines and lose your merchant account?

Companies who process card data are now required to become PCI-DSS compliant, which is a really long list of things that have to be done to ensure that card data is secure.

If you haven’t received an email about this already, then you will (or should).

 
Magento Community Magento Community
Magento Community
Magento Community
 
johnW
Jr. Member
 
Total Posts:  3
Joined:  2008-06-11
 
Lance Monotone - 05 June 2008 06:51 PM

I find you condescending and a little rude.  Heres my credit card number.  If you can decrypt it you can use it.

ZHXqdJaECfdGVs7F1bmN+w==

This topic interested me as I was wanting to off line process credit cards as well. I don’t want to buy into the rude or not issue.

The case here is not necessarily the same as storing the credit card numbers in the magento store. This case is as safe as GPG, or whatever encryption package was used; probably 128 or 256 bit encryption.

However the credit card numbers in the shop are only as safe as the user name and password combination as the admin login page for a shop is at a know location. One hopes that a good password is selected along with a non obvious user name but people are often lazy or uninformed about what is a good password.

I’m not a security expert, nor a hacker so I may have missed an important detail.

Personally I’d prefer to encrypt the entire order and Credit card info with a public key, using GPG, and email it to my home account - making it as safe as the credit card above.  Storing none of the credit card details in the shop as personal PC is much less open to automated attacks than a website, and I can delete the records once the order is processed something I haven’t yet found out how to do in Magento (saw an unanswered thread with that question in though)

Does Magento do this, email encrypted CC info? I looked but didn’t seem to find anywhere that said it could, I could just not have looked hard enough.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial
Enthusiast
 
Avatar
Total Posts:  770
Joined:  2007-11-07
Phoenix, AZ
 
johnW - 13 June 2008 04:47 PM

However the credit card numbers in the shop are only as safe as the user name and password combination as the admin login page for a shop is at a know location.

That’s one part of it. Not only do you need admin rights, but the encryption key. For example, we store client credit card data. You have to login as an admin superuser (so only 2 people can do this) first, and then you need an encryption key to even see the card number.

I do wonder if the encryption key should also include symbols, not just letters and numbers like the ones Magento generates.

 
Magento Community Magento Community
Magento Community
Magento Community
 
johnW
Jr. Member
 
Total Posts:  3
Joined:  2008-06-11
 
Crucial - 13 June 2008 09:53 PM

That’s one part of it. Not only do you need admin rights, but the encryption key. For example, we store client credit card data. You have to login as an admin superuser (so only 2 people can do this) first, and then you need an encryption key to even see the card number.

Guess I must have missed something in my setup of the saved credit card. As when I login as admin I can just go to the orders page and see the credit card in plain text no encryption key needed. Dangerous that I can set it up in a dangerous manner, but that it still works and as far as I can see doesn’t complain.

What it suggests is that the entire number is in the clear from my ISP to me when I look at it. I have no idea how hard it is to sniff those packet or how unlucky I’d have to be to have someone intercept them. But I’d rather never find out. Yeh I know I’m probably needlessly paranoid but I have done a little bit of work on a secure chip and paranoia was encouraged.

This is why I was/am so keen to delete that record. It’s my card number i used for testing as I didn’t have a dummy number that would pass the verification tests; mixed blessing that.

Do you know what I haven’t set up and how I might fix it.?

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
gabrielk
Sr. Member
 
Avatar
Total Posts:  83
Joined:  2007-11-30
 

All you need to decrypt credit card information stored in Magento is FTP access to the server.  With FTP access, I can gain access to the database as well as the encryption key used to encode the credit card, not to mention see the method used to encrypt it.  From there it’s a simple matter of accessing the database, pulling the billing records, and on my own time decrypting the card numbers.

The ways someone can gain access to your Magento install’s FTP credentials is staggering.

But by all means, do what you want.

Lance Monotone - 05 June 2008 03:49 PM

Thanks for the quick response, Adam.  Do you know if that is an upcoming feature?

If you check the release notes, you’ll see that beta releases used to store credit card numbers for all payment types until around beta 0.9.  Since it was a previous feature that was disabled, I don’t think it will be coming back. smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
ayasoftware
Jr. Member
 
Avatar
Total Posts:  21
Joined:  2009-06-02
 

Hello,

If you wish to not have to worry about someone hacking in and stealing those numbers belonging to your customers,
I have released a new module that allows store owners to delete credit card number stored in Magento Database.

Link here:  Delete Saved Credit Card Numbers Module

Need Help, please do let me know.
Regards.

 
Magento Community Magento Community
Magento Community
Magento Community
 
kurtssmith
Jr. Member
 
Total Posts:  17
Joined:  2009-10-23
 

I am trying to remove CC data in my database directly as a result of using the CC Save method during Checkout.  Now I thought the place that it was stored was the sales_flat_quote_payment table but even after blanking out the cc_number_enc and the cc_cid_enc fields, credit card numbers and cvv numbers would still show up under the Admin Sales Order Control Panel.  So could they be stored somewhere else?

 
Magento Community Magento Community
Magento Community
Magento Community
 
dwuethrich
Jr. Member
 
Total Posts:  20
Joined:  2009-05-29
 

I tried set the cc_number_enc to null, but I can still view the number when looking at the order.

So, I must assume it is stored in another location.

 
Magento Community Magento Community
Magento Community
Magento Community
 
dwuethrich
Jr. Member
 
Total Posts:  20
Joined:  2009-05-29
 

All you need to decrypt credit card information stored in Magento is FTP access to the server.  With FTP access, I can gain access to the database as well as the encryption key used to encode the credit card, not to mention see the method used to encrypt it.

Hello gabrielk,

Where is encryption key stored?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Tyler Jensen
Member
 
Avatar
Total Posts:  55
Joined:  2009-03-27
 

Someone should make an Amazon CC like module… smile For those who don’t what to use it… don’t use it. For those who do want to… we will pay the price if it fails.

The Decryption key is stored in app/etc/local.xml

TJ

 
Magento Community Magento Community
Magento Community
Magento Community
 
jlenz
Jr. Member
 
Total Posts:  8
Joined:  2010-05-12
 
Lance Monotone - 05 June 2008 06:51 PM

I find you condescending and a little rude.  Heres my credit card number.  If you can decrypt it you can use it.

ZHXqdJaECfdGVs7F1bmN+w==

CCSAVE uses symmetric encryption by default.  If you are doing any offline processing of orders it is highly recommended that you use asymmetric encryption with openssl or some other RSA means.

<?php
require_once $_SERVER['DOCUMENT_ROOT'].'/app/Mage.php';
$app Mage::app('default');
Mage::getSingleton('core/session', array('name'=>'frontend'));
Mage::helper('core')->decrypt("ZHXqdJaECfdGVs7F1bmN+w==");
?>

If I hacked your server far enough to get that encrypted string, I’m pretty sure I’d be able to execute a simple PHP script as well.  Afterall, most ‘secure’ installations only allow database access from the web server anyway.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top