Card Capture not showing credit card info

[slic535]

I am trying to use the card capture but it wont show the credit card details anywhere. where do I find them at? I am using 5.2.14

[bsmither]

CC5214 should be of a recent-enough version that if you are not accessing your admin site under SSL protocol, then CC will not give you those details.

 

Can you confirm you are accessing admin under https protocol?

 

I would believe you have SSL as any customer would want that when they are entering their card info.

 

If all is as above, there should be a tab "Card Details" when viewing the Order Summary for any given order.

[havenswift-hosting]

Hi

You dont have a SSL certificate installed, so credit card details will not be displayed - this is a basic form of security.

Do you realise the security and PCI implications of using this payment gateway to store card details like this - configuring an SSL is the first of a great number of security steps you will need to undertake in order to use this !

Ian

[slic535]

no I don't have ssl hooked up. I see the part it says card details but it only shows view under ssl. so if I get the ssl it will show it to me correct?

[bsmither]

Actually, my previous reply is not true as stated. If a Card Capture was successful, there would be encrypted details of the card used in the database table CubeCart_order_summary, `offline_capture` field. If there was data recorded there, it would show in the Card Details tab.

 

If you are not under https, then the tab would still be there, but show "View under SSL".

 

It's a basic form of security, but easily programmed around -- if you want to assume the risks of doing that.

[slic535]

how do we do it? credit cards are secured by the card companies. could I not erase the card data after use?

[bsmither]

"credit cards are secured by the card companies"

That is wrong and incorrect thinking in so many ways.

Yes, I believe there is a link to have CubeCart delete the card data from the database.

[havenswift-hosting]

It's a basic form of security, but easily programmed around -- if you want to assume the risks of doing that.

Brian - I know you are trying to be helpful and by-passing the requirement is a very easy code change, but I strongly believe offering a solution is wrong, especially to somebody that obviously doesnt understand the security and PCI implications of using this gateway in the first place.

how do we do it? credit cards are secured by the card companies. could I not erase the card data after use?

How can the credit card details be secured by the card companies - you are storing them in your own database. Yes, there is a way to erase the card details but you are capturing them and storing them, it makes no difference for how long.

You are using this method already on live stores and as you dont have a SSL then undoubtedly you have also not bothered with PCI validation either in which case you have opened yourself up to HUGE fines and lawsuits if any data is stolen

Ian