don't want realtime credit card payments online

**joanstead** · 03-07-2005, 10:21 AM

Hi,

I want to be able to accept credit card payments online--just the info, but I do not want it to be processed automatically (realtime) after the customer submits their order.

I already have a merchant account and online payment gateway with eProcessing Network.

I read that the "Credit Card" module is not secure to use, but just for testing purposes. I do have a SSL certificate for my website, so is it still unsafe to use this payment module?

If it is, then how would I go about setting up a payment module that just allows the customer to enter in credit card info?

If this is not possible, and I have to use a realtime gateway, then is there one available for eProcessing Network? I would need help setting it up, so if I have to do it this way, please tell me how to do it, or where the info on how to do it is found. Thank you!

JoAn,

**red_fraggle** · 03-07-2005, 11:39 AM

that module when coupled with an SSL certificate works fine. The insecure part of it is that that module stores the ENTIRE credit card number in the database AND email the ENTIRE credit card number to the store owner. both methods, DB storage and email sending are very non-secure.

You can look at http://www.oscommerce.com/community/contributions for a module for your particular processor. If you dont find one, there are plenty of companies who do custom OSC development like mine for instance. I am not soliciting your business as thats not allowed here, but sounds like you need a custom payment gateway written, and we do provide those services if you need them.

**joanstead** · 03-07-2005, 11:48 AM

so it would be safe to use the 'credit card' payment module as long as i have the SSL certificate?

what about the cc number being emailed to me? is that safe?

like in the past i used a differet shopping cart that emailed the last 4 digits of the cc number with the order details, but in order to get the entire credit card number, i would have to login to the admin site.

Just want to do it the safest way. I do have firewall protection my computer, but don't really know how safe that is if i'm getting emailed credit card numbers.

Thanks,
JoAn

**red_fraggle** · 03-07-2005, 11:54 AM

getting emailed credit card numbers is not safe. Of course we should be overly paranoid, after all whats the likely hood your email will be the next to get captured, sorted, looked through, and used against you?

But it happens everyday. Databases are hacked every day, email is hacked everyday, and then people in Kenya or some other far off lacale end up buying nice fnacy electronics online with your customers credit card numbers.

So, you want to do the following,

USE An SSL Certificate
Use a Payment gateway module for OSC that does NOT store the entire CC # in the DB (or have an existing one modified to not do so)
Use a Payment gateway module for OSC that does NOT send the entire number via email (or have an existing one modified so it uses SMTPS to securely send email to you using your certificate.)

You may of course do anything you like, we have plenty of customers who dont use ssl certs at all, against our better judgement and advice of course. I doubt they get many orders but oh well. Anyway if we can be of assistance let us know.

**red_fraggle** · 03-07-2005, 11:57 AM

PS hackers dont hack email once you've downloaded it usually. So your firewall question is pretty much irrelevent. However they do routinely capture email outgoing from a server email port. Alot of them have fancy scripts they have written just to look through email for any 16 digit number sequences (credit card numbers) and only forward themselves a copy of those emails....

Lots of GREAT programmers in the world, only 1/100000th of them are here helping you, the rest are waiting for those numbers

**joanstead** · 03-07-2005, 12:23 PM

Okay, I have an SSL ceritificate.
I use Eprocessing Network.com for my cc merchant.

Is there a way to take credit card info securely without having to use realtime cc processing?

I really do not want credit cards to be processed automatically. I would rather check over the order and make sure everything is correct and then have the credit card manually charge via online payment gateway.

Let me know what my options are, knowing what I prefer to do.

I am aware of a module for EPN, but I'm not wanting to do real-time cc processing, so does that mean that the EPN cc module is not of any use to me?

JoAn,

**red_fraggle** · 03-07-2005, 01:59 PM

I know most modules have the ability to do "pre-authorization" and "immediate authorization". The module will work fine for you if you can set it to "pre-auth" since this requires you manually set the order status to "authorized" and go to your processors online and authorize the charges so they go through.

Using this would work as it still acts as a credit card payment module in your store, does the verifications, makes sure its a legit card, just doesnt put the orders thtough till you update the order status.