Here's the link to that work item: http://nopcommerce.codeplex.com/workitem/9959
I noticed that "Impact" field for this is set to "Low." I'd argue that, due to PCI compliance and security concerns, it should be assigned a higher impact.
Based on my experience with other shopping cart systems (what's orthodox for most), plus research on PCI compliance, it seems like the behavior should be the following
1. If Manual Processing is used, the CVV is NOT stored at all (the credit card companies really do NOT like it being stored at all)
2. When processing an order, clicking the "Mark as paid" button causes all BUT the last 4 digits of the credit cart to automatically be overwritten (typically the numbers are overridden with X's as placeholders), like this: XXXX-XXXX-XXXX-1111
Retaining the last 4 digits helps by allowing customers to identify which card was used for the puchase without revealing the whole card number.
Any thoughts from other users, especially based on their interactions with the banks or credit card companies?
Credit Card Number Security
MVP
- 1794
- 14506
- 10/7/2009
- United Kingdom
Those are relevant points.
The only difficulty is that if the CVV number isn't stored (which your right about, as far as card companies are concerned, it should never be stored or even written down if you take a telephone order) then you cannot manually process the payment ( at least not with modern card terminals )
The only difficulty is that if the CVV number isn't stored (which your right about, as far as card companies are concerned, it should never be stored or even written down if you take a telephone order) then you cannot manually process the payment ( at least not with modern card terminals )
- 13
- 75
- 1/12/2010
- United States
haydie wrote:
Thanks to everybody for your comments.
We've bitten the bullet and have opened an account with Authorize.net. It would have been less expensive to keep our swipe terminal and continue with manual processing but PCI rules do not allow for any credit card info to be stored at the shopping cart.
My guess is that the days are numbered for the "Manual Processing" mode in nopCommerce.
Regards,
Felix
The only difficulty is that if the CVV number isn't stored (which your right about, as far as card companies are concerned, it should never be stored or even written down if you take a telephone order) then you cannot manually process the payment ( at least not with modern card terminals )
Thanks to everybody for your comments.
We've bitten the bullet and have opened an account with Authorize.net. It would have been less expensive to keep our swipe terminal and continue with manual processing but PCI rules do not allow for any credit card info to be stored at the shopping cart.
My guess is that the days are numbered for the "Manual Processing" mode in nopCommerce.
Regards,
Felix