Storage of Credit Cards

We set up the store to use Paypal Direct on Nopcommerce 2.5. The program appears to store the encrypted version of credit cards inside the database. It does not seem to store the 3-digit code nor the expiration, but only the encrypted credit card numbers.

Is there any way to turn this feature off, so that the program will not store the card numbers at all?

dcastranio wrote:
Can you please share it with the community? I mean nopCommerce 2.5 =))) ...kidding. The latest version of nopCommerce is 2.10

dcastranio wrote:
No, it doesn't store credit cards when using third-party payment methods (such as PayPal). It stores credit cards only when you're using 'Manual Processing' payment method

My apologies to the forum. I am simultaneously working on a project with BlogEngine 2.5 and NOPCommerce 2.1. Both open source projects are very nice, but I admit my head is spinning sometimes.

I have our store hooked up with Paypal Direct, and in the back end SQL it is storing an encrypted version of the card, and the encryption key appears to be in the db as well. I do not want to store even an encrypted version.

Actually, what I am seeing in the database is called "MaskedCreditCardNumber" and it is encrypted. Is this only the last 4 encrypted, so the admin can match up the order?

Or is it the entire number encrypted. This is a big difference.

Storing masked credit card number is allowed. There's nothing bad about it. And nopCommerce stores it, but the entire CC number isn't stored.

Thanks for the clarification.

Is there a way to not encrypt the credit card type (visa, mastercard, etc.) and keep the number encrypted?  When reconciling to our merchant statement, it makes it easier to match up the card type (visa, mastercard, etc.) to those amounts.

Hello?  Anyone know how to enable the credit card name to not be encrypted but keep the credit card number encrypted?  

Remember, everything has to be imported into an accounting system.  The website is only an order taking system.  

When you have to remit sales tax  - it comes from your accounting system.
When you do bank reconciliation - it comes from you accounting system.
When you run your financials - it comes from your accounting system
When you get audited - it comes from your accounting system. The IRS doesn't give a rats ass about your store front.

This website is excellent but I have yet to meet a web developer that keeps in the back of their mind - all orders must be imported into the accounting system so keep what accounting needs in mind when developing.  

If I could make one comment about the design of this site is - it could be a little more de-normalized. Normalizing everything is TEXTBOOK not real world.  

But my hat's off to the designers.

a.m. wrote:

This is an older post, so just to be clear, you're saying only the last 4 digits of the CC# are stored in Nop? And it's hashed?

I'm brand new to nopCommerce so please forgive me if this seems a stupid question.  You say that the entire CC isn't stored.  How is it that I can see the entire CC# and CVV2 when I view order details?  I'm running 3.6 in Visual Studio 2013 until I can prove it does what we need, then I can move it to a proper server.