Is this really safe?

[Rodland]

Split Credit Card E-Mail Address

Is this standard practice for those who already have an offline terminal? I'm just wondering how safe this is? Should there not be some kind of encryption?

What would be most neat would be if the credit card details arrived encrypted into the admin pages and these encrypted details could be copied and pasted onto my desktop and decrypted by pgp ???

Anyone?

Anyone done this?

[michael_s]

The standard CC class is not secure, and I don't recommend using it. There is a GPG email encryption module that I recommend. It encrypts the order info and emails it to you. You decrypt it through your email client. Works like a charm. Get it over at oscommerce.com contributions section.

[Rodland]

Thanks - does this module store the order details in the admin pages too (apart from the cc details?).

[michael_s]

Actually, all it does is email you the order number and CC#. All the rest of the details are stored in the database.

[ozstar]

Found the contrib, but the install instructs are a bit loose.... (quote)

"You have to change the path to gpg, the dir where your keys reside and the recipient's email address" (unquote)

This is the only place I can see in ccgpg.

1. recipient I get okay.. sales@myplace.com
2. home/equin-m/temp - not sure about the temp dir as I don't have one yet. home/ID/www/temp???
3. gpg path - you got me!

-----------------
one function after_process() {
global $HTTP_POST_VARS, $insert_id;

if ( (defined('MODULE_PAYMENT_CCGPG_ENCRYPT')) && (MODULE_PAYMENT_CCGPG_ENCRYPT == 'GPG') ) {
$message = 'Order #' . $insert_id . "\n\n" . 'Number: ' . $this->cc_complete . "\n\n";
$tmpToken = md5(uniqid(rand()));
$plainTxt = "/home/equine-m/temp/" . "$tmpToken" . "anca";
$crypted = "/home/equine-m/temp/" . "$tmpToken" . "anca.asc";
$gpghome="/home/equine-m/"; //where is your pubring? That dir has to have write access.
$gpgpath="gpg"; //where is the executable
$gpgrecipient="Glen Ross (emailkey) <glenr@datafast.net.au>"; //the key used for encryption
$fp = fopen($plainTxt, "w+");
fputs($fp, $message);

_____

Thanks

[michael_s]

1. OK
2. Make a dir named temp in your account, and consrtuct the correct path to it.
3. gpg path is usually just gpg, but from the shell, type whereis gpg and it will tell you the path.

[ozstar]

I now have the gpg path.. /usr/bin/gpg

But in 'install' it says go to Admin and press the button to enable it.

This I can't see. Where is it in Admin.

Thanks

[michael_s]

It will be under the modules/payment section of the Admin... It is the disabled Credit Card module...

[Rodland]

I'm in the process of installing this module but I'm having a few problems with the executable gpg file.

I don't have command line access for my server so can't type whereis gpg but I can access all the directories and can't find it anywhere.

I have installed GPG on my personal computer and am able to encrypt and decrypt data and export public keys.

I have created the temp folders and uploaded the public key to the relevant directory on my server. But the only gpg executable I can find is on my personal computer under the hidden path /usr/local/bin/gpg

How on earth do I get this to my server? If I have to install it rather than upload it how do I do this and will this make the private and public keys I've created on my personal computer redundant?

CMR