NopCommerce PCI - nopcommerce

Running NopCommerce 3.40
I think i read somewhere that NopCommerce's Shopping cart is PCI compliant. It also looks like NopCommerce's shopping cart stores Credit card data.
1.) So what does this PCI process do?
2.) Is it just a fashion of encryption of data as it passes to the database?
3.) Is it my fault if the hosted database say from GoDaddy gets hacked for a bunch of credit cards?
I don't know why NopCommerce is storing Credit Cards. I think I have to figure out how to disable that part. I mean if I don't then I need to purchase a PCI Certificate?
EDIT :
I did some more reading. It looks like if I use Stripe or another third party gateway no Credit card information gets stored. I think only Manual Payments credit card information gets stored. Is this right?

1) PCI-DSS stands for Payment Card Industry Data Security Standard. The standard guides you so you know what are you doing with the cards data and that it is secure enough, given your transaction volume, data collected and stored, etc.
2) It is not. Basically, it says that if the card data (CC number, CVV code) ever pass near your system (in a logical sense), then you are in the PCI scope, and have to comply or the acquirers (banks) won't talk to you.
3) I think you'd be liable, look into GoDaddy disclaimers.
I doubt there's anything like 'PCI compliant shopping cart'. This is how you process the payment, as in, can your javascript access the CC number input box, can your router see the unencrypted CC number, etc.
In your case, I assume a small e-commerce, I'd look to outsource the payment page. Be it Stripe, PayPal, Skrill, Neteller, whatever makes you never see the data except for the income amount.

Related

How to get credit card details of Paypal Recurring payments profile

I am creating a Recurring payment profile using Direct payment(credit card details entered during registration are not stored in database). I want to update/change the bill amount for every bill cycle(because billing is done per user per month).
I am using UpdateRecurringPaymentsProfileDetails API method to change the amount, but the method needs credit card details again(for each time it is called). I am getting the credit card details using GetRecurringPaymentsProfileDetails, but this method just returns the last 4 digits of credit card(and does not return CVV2, but this is not major issue here).
Is there any other option to get the full credit card details(at least credit card number) using Paypal APIs or should I have to store credit card numbers in my database? Any help would be highly appreciated.
It's unlikely that you'll be able to get the full credit card number from PayPal; that's why people use PayPal.
Storing credit card information in your database is a huge liability, and should be avoided if at all possible. Once you start storing that information, your company is responsible for keeping that information secure (and that includes developers). Use another third party component if you must, but don't take on such an enormous liability.
I don't know what company you work for, but that's not a decision that a developer should be making on their own. Entire companies have been shut down for mishandling credit card information. The law around that stuff is extremely murky, and even the smallest mistake can result in massive fines.

Recurring billing variable amount without storing credit card information

I have implemented few payment websites using PayPal Standard, PayPal Website Pro, PayPal Express and Authorize.Net.
Now I'm implementing a website which requires recurring billing. My only problem is variable amount, since I do not store credit card information, and amount is not fixed in each cycle.
Can we use either PayPal or Authorize.Net for my project? If not, could you please recommend any reliable payment gateway ($US for payment, and gateway located in US please) for that matter?
You can use a service like Authorize.Net's Customer Information Manager (CIM) to store the credit card and billing information for you and then you create your own scheduling engine that charges against the payment method you have stored for them using CIM. CIM also allows you to make off-cycle payments at any time as well.
Well the variable amount to bill shouldn't be a problem if you can put together whatever formula would be used in code. However if you aren't storing the actual credit card info (and I can understand why), then I don't see how you'd be able to charge the customer every month. Normally you need a credit card or bank information to do a direct transfer.
If you absolutely cannot store the information, then the only thing I can imagine is putting together an automated calculation and notification system that can send the customer an email with a link that brings them to a form so they can enter the information as simply as possible. Otherwise you'll need to save their credit card info somewhere secure and simply bill them every month, which isn't uncommon.
Have you looked into PayPal's IPN variables?
https://www.paypal.com/cgi-bin/webscr?cmd=p/acc/ipn-subscriptions-outside
Typically you have to cancel then reapprove a new subscription... but perhaps you can use the variables some how to do that programmatically.
I found a solution. PayPal calls ProcessReferencePayment.
At first, I need to charge the credit card using DoDirectPayment, and store the successful transaction number.
After that, I just call DoReferenceTransaction along with OrderTotal and ReferenceID (the previous transaction number).
DoReferenceTransactionRequestDetailsType
DoReferenceTransactionReq

Where (and when) Ubercart stores CC data?

I use Drupal 5 with Ubercart 1 (latest) and uc_subscribe module.
I see in uc_subscribe module that CC data for recurring payment is taken from uc_payment_credit table, but I cannot find the place in code where data is added to this table. I grepped sources of UC1, UC2 and still have no clue how it should work. Can anyone please point me the exact line or function?
Thanks in advance.
Ubercart doesn't store credit card data, unless you are in test mode. The CC data is generally stored by the payment gateway (authorize.net, paypal, etc). Storage of credit card data can only legally be done if your site is PCI Compliant.

Is it viable to use Drupal/Ubercart for an international store? Do any payment gateways support it?

I am picking tools to use for an international store. Company sells training and products in North America, Europe and a few other places. The existing store in the United States (Drupal/Ubercart/Authorize.net) works great and serves all their needs.
Displaying product prices in different currencies are relatively easy to set up, and you can display the correct currency symbols and values depending on where services are rendered, where people want to ship to, etc (useful modules include uc_multiple_currency, uc_multiprice, uc_cck_currency).
Are there viable Ubercart solutions to sell to other international markets using the same storefront? It is possible for any user to buy services/products through the US store, but paying in USD for a service offered in e.g. the Netherlands, when dealing with people based in the Netherlands is not acceptable.
The only payment gateway I could find that would accept payment in multiple currencies is Paypal. However, I am looking for a solution that would accept credit cards from international users and charge them in the correct currency. Authorize.net works great - will accept cards from anywhere and process them, but all transactions is in USD. It would be extremely problematic to charge someone €250 on the site and their final charge (after currency conversion) being e.g. €250.65 or something like it because of a delayed conversion.
Numerous people have asked this question, with very few useful insights and solutions (see for example here, here, and here, which presents a workaround-ish way of doing things).
To be clear: Displaying prices in different currencies is easy. How can I bill credit cards internationally using the correct currency through a gateway that supports it, without having to do conversions?
I have been through the same thing recently, but ended up making my own module to do the price handling. If it's done right, the prices will be displayed correct, even for order total etc. (See the hook_uc_price_handler)
This means that you will need to do two things to handle your problem.
Make sure the order only contain 1 currency, so you don't have one item costing €100 and another costing $100 (what would the total of that order be?) You could handle this by doing currency conversion if you wanted to, I believe that is how one of the modules you listed works.
When the payment is processed you need to send the correct currency to the payment provider. This already needs to be done in most cases as payment providers usually are able to collect in various currencies. Since most do the payment process via a hidden form that redirects or a inline form with hidden fields, you should be able to use hook_form_alter to set the currency to what you want. Depending on the payment module, this may be hard or easy.

Storing Credit Card Information [duplicate]

This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Storing credit card details
There are many sites that stores the Credit card information. I too, in one of my application , need to store the credit card information in database. But I don't have any idea how to store them. I found somewhere that we can split the credit card numbers in parts and the encrypt them before storing it to database. Although it seems that a good idea, I am curious how the renowned sites like Paypal and amazon.com are doing it. Does anyone know how they are storing the credit card information?
If you have to ask this kind of question, you almost certainly shouldn't be storing credit card information. It's tricky to get right, and if you make even one small mistake you could cause a lot of problems for a lot of people.
I'd suggest outsourcing it to one of the larger payment processors, so that you don't have to deal with it.
If you want to start learning about the challenges you face, take a look at the Data Security Standards from the payment card industry.
There are many things that need to be done to ensure the card data is secure. What companies you mentioned, PayPal, Amazon and other PaymentsGateway, have gone through is expensive and time consuming. They have to go through annual audits based upon Payment Card Industry standards (PCI). If you choose to go this route, keep in mind that it is expensive to get compliant and espensive to stay compliant.
Another option would be to outsouce the storage of the credit card data to a company that is in compliance with the card storage rules. There are companies out there that store the data and provide you back a token you can use to call the payment data to update or charge.
One that I prefer is: www.paymentsgateway.com

Resources