Jump to content

Credit Card Capture automatic delete?


Ray Hill

Recommended Posts

I am running CC6 with HTTPS and use the Credit Card Capture gateway module. I often have orders that have the following Transaction log entry: "Success $xx.xx Card Capture (Day) (time) Card Details captured ready for processing offline." However the credit card detail fields are blank. After contacting the customers, I am told that they entered the info and had no indication that there was any problem. I am also experiencing a loss of credit card info on completed orders. On the orders that do come through with Credit card info it seems to disappear either over a period of time or when the status is changed to order complete. But I can't be sure. Any help would be appreciated.

         
Link to comment
Share on other sites

Welcome Ray Hill! Glad to see you made it to the forums.

You say the CC details fields are blank, as opposed to showing "View under SSL".

Please use an external utility such as phpMyAdmin (typically provided as a tool in your hosting account's control panel) to access your database directly. In the table CubeCart_order_summary, verify that the 'offline_capture' column has some content (it will be scrambled) for the orders you know that should have CC details.

 

Link to comment
Share on other sites

Thanks for the quick reply, Yes, the fields are blank when viewed using HTTPS, I checked the offline_capture in phpMyAdmin and there is scrambled content. However, the fields for those orders in the dashboard under Credit Card Details is just blank in some orders. That's the confusing part to me, out of 6 new orders, 4 had blank fields and two contained credit card info. but all six show "success" under the Transaction Log tab and all 6 have the scrambled content in offline_capture. 

Link to comment
Share on other sites

Ok, so it is not the case that the CC details in CubeCart_order_summary table, 'offline_capture' column are being deleted.

That means that the "decrypt" functions are not using the same salt and pepper codes that was used to do the encrypting.

Allow me to ask, for the four orders that have a value in the 'offline_capture' database column but show blank fields in the admin Order Summary, do you think the Cart Order Id changed (as weird as that sounds)? Are you using any sort of plugin that gives you an alternate format of the Cart Order Id (should look like yymmdd-hhmmss-rand)?

Link to comment
Share on other sites

19 hours ago, Ray Hill said:

I am running CC6 with HTTPS and use the Credit Card Capture gateway module. I often have orders that have the following Transaction log entry: "Success $xx.xx Card Capture (Day) (time) Card Details captured ready for processing offline." However the credit card detail fields are blank. After contacting the customers, I am told that they entered the info and had no indication that there was any problem. I am also experiencing a loss of credit cardinfo on completed orders. On the orders that do come through with Credit card info it seems to disappear either over a period of time or when the status is changed to order complete. But I can't be sure. Any help would be appreciated.

         

The Order Id hasn't changed and I'm not using any plugin that would change it.

Link to comment
Share on other sites

IF! (big if) the upgrade caused the contents of the store config data to be lost or, at least, one or two values in the config array to have changed, then the salt (the cart order id is the pepper) would have changed. Thus, rendering the decrypter unable to decrypt the value correctly.

So, the question now is: of all the orders that have a value in the 'offline_capture' database column, the ones that do show CC details versus the ones that do not show CC details, is there a definable split at a time that CC6 was upgraded?

 

 

Link to comment
Share on other sites

I hate to sound illiterate but I'm not sure how to know the exact date I upgraded, after suffering with this for days it's sort of a blur. I can say that there is no definable split on the database column. If there is a way to compare the decrypter code on the two versions, that should answer the upgrade question right? I'm certainly not an expert when it comes to code. Is there a source to decrypt the scrambled information from the database? That would at least allow me to complete the orders.

Link to comment
Share on other sites

"I can say that there is no definable split on the database column."

Ok, so of the six orders we are examining, I hear you say that there is no point in time where orders before that point show blanks and where orders after that time show details.

That is (order numbers are examples to show a time-based sequence):
160502-080205-3011 (order placed May 2, 2016 at 08:02:05) blank data
160510-100634-7692 (order placed May 10, 2016 at 10:06:34) shows data
160529-152356-9273 (order placed May 29, 2016 at 15:23:56) blank data

The three orders above, and whether they show CC details or not, seems to be random.

Do you have any backups of the database? If so, do you have several going back for a month or two?

Link to comment
Share on other sites

The store is only 2 weeks old, I don't have any back-ups. I hate to throw in the towel but one of the top ten business rules is to make it easy for the customer to give you money. With problems like this, maybe Cube Cart was a bad choice. I may end up cutting my losses and move on.

Link to comment
Share on other sites

  • 1 month later...

OK, just found the topic at https://forums.cubecart.com/topic/51242-credit-card-capture-issues/ which is the same issue, but this thread is newer with more effort at tracking a solution.

My CCv6.0.12 store has been live since 02 July (now 21 July) and in that time I've taken 50 orders - mostly PayPal and 13 by card capture (v1.0.5).  Of those 13 I have had 2 with blank card details (that's 15%), even though the transaction log says the detail were captured.

So far I haven't been able to reproduce the issue.  There may be a clue in having another admin session open in another tab or browser.  I did try opening another browser the second time it happened to see if it was browser specific (card details were blank in both browsers), but I doubt that I closed the first browser.

So, my suggestion would be to quit out of ALL browsers and try again.

Is there anything else that can be done to ensure that CubeCart doesn't think there is another admin session running?

To add - I thought the first instance of blank credit card details may have been from using functions on the Maintenance tab (clear language, cache, sql cache etc.) but that shouldn't be able to blow away the credit card details.  My other suspicion was that the card details might auto-delete after a time period - so if I was slow in processing they might be gone.

I suggest the card capture plugin also make a note in the order notes (internal) or transaction history when credit card details have been deleted by Admin so there is some kind of audit trail.

Link to comment
Share on other sites

  • 3 weeks later...

Another instance of no credit card details - I went to process the order more than 12 hours but less than 24 hours later.  Credit Card Capture has been working fine for a while - this is an intermittent problem with no clear cause.

  • Transaction Logs tab shows this line twice: "Success    $64.10    Card Capture    Yesterday, 18:34    Card Details captured ready for processing offline."
  • Credit Card Details tab shows all fields blank
  • phpMyAdmin > database > CubeCart_order_summary > this order > offline_capture: [BLOB - 256 B] (link to encoded data)

I've tried the following without any success or difference:

  • Logging out of CubeCart admin
  • Closing all browsers
  • Restarting computer
  • Using different browsers
  • Using different devices/platforms
  • Using different networks

On one occasion I did get a View in SSL message in every field and felt hopeful (not sure why it logged in without SSL), but on switching to SSL the fields were blank :(

If the credit card data is there, what is causing cubecart to not display it?  Is there a way to FORCE cubecart to display the data?

BTW - each time an order has card details that are blank, the card details appeared blank from the first instance.  If we were able to view the details once then we would have been able to process the order.  We did not edit/change/save the order - we don't make any changes until the credit card has been processed.

Link to comment
Share on other sites

Blank fields are the direct result of the decoder not being able to decode the data. The data is there, encoded, as you saw, but the key phrase used to encode the card details is not the same as what is being used to attempt to decode the details.

At one time, the key phrase was your personal CubeCart license number - which is no longer relevant. Now, however, if the key phrase is not in the CONFIG array, a random phrase is generated, saved in the CONFIG array, and used to encode.

The presumption is that the key phrase will remain undisturbed in the CONFIG array forever and ever. (The CONFIG array is databased in the table CubeCart_config, where the name is 'config'.

If the key phrase used to encode is lost, then decoding is hopeless.

The obvious question is: How could the key phrase get lost/changed between capturing the card details and the admin wanting to view them?

Link to comment
Share on other sites

Starting to wonder if discussing a solution to this poses a security issue.

Are you sure the keyphrase is generated once and remains undisturbed?  Is it a complete phrase or is salt/pepper added unique to the order?  Maybe there's a forgotten security feature that refreshes the keyphrase after some elapsed time.  If there's any kind of timestamp, can that be broken with local time changes if the customer/admin/host server are in different time zones?

I can have an order with no card details available and later have card orders that work fine for weeks - so the intermittent nature makes it difficult to track down.  Time elapsed before going to process card details SEEMS to be a factor, but that requires further testing - I'll place test orders each hour for a few days and then see if there is a point where aged orders do/not show card details.

Link to comment
Share on other sites

"the intermittent nature makes it difficult to track down."

Exactly.

Examining the code in the file /classes/encryption.class.php, I am convinced that, as long as the key phrase, the cart_order_id of that order, and PHP's MCRYPT library does not change, then all is good. (Of course, I have no intimate knowledge of PHP's MCRYPT library. But in the documentation about the MCRYPT functions, I'm sure if the current time were a factor, there would be major emphasis discussing that fact.)

The key phrase is in the CONFIG array with the 'enc_key' index. The array is databased, as discussed earlier, and so if one were to suffer on a regular basis the 'blank fields' of credit card details, making regular (daily?) backups of the database (at least the base64-encoded value in the 'config' record) would be a wise preamble to any troubleshooting efforts.

 

Link to comment
Share on other sites

No upgrades between then and now.

I've just had another card sale - card details are visible for this one but still not showing for the previous card order.  If both are decoded by the same key, is there an issue with how the card details are sometimes encoded?  Could the process be broken or interrupted if the customer navigates back and forward during checkout, double-clicks the submit button, or has a slow connection and the page has not finished loading before they hit submit?

Link to comment
Share on other sites

As before, take a note of the current 'enc_key' value in CONFIG. Store that somewhere safe.

If the card details for this order go blank at some point in the future, we will then take note of the 'enc_key' at that time.

The encoding uses the (current) 'enc_key' and the 'cart_order_id' of that order.

We are currently working on how the following happens from recent reports: A customer makes an order and the Cart is given a 'cart_order_id'. Somehow, through some unknown action by the customer, probably the browser's back button, CubeCart could permit losing or gaining items in an established Cart.

But we have not seen any report make mention that the 'cart_order_id' had changed. If you can find evidence of that happening, that would be good to know.

But, you having already mentioned the 'enc_key' had changed "between then and now", I think this is the more promising avenue of research.

Link to comment
Share on other sites

Unfortunately, my automatic database backup tool appears to be broken so I don't have any automatic backups during this period.  I did make a manual backup before some major changes at the start of July and the enc_key is different in that copy of the database.  I was really hoping to retrieve another enc_key from a more recent backup, but it was not to be.

No change in the enc_key since August 11 - no blank credit card details since then either.  Pity I can't go back just one more day though.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...