HI,

I have my option set to e-mail me the CC number & other Info.

But I am not getting the creditit card verification # (called security code or Cvv2/CVC depending where you look)

The order_notification_e-mail.php page just shows <?=$CCInfo?> but I can't find it in the SQ files. I think this is where it should be added but where would it be and what would be the code to include so I will get it mailed?

Thanks

Hi,

This is by design. It is prohibted by MasterCard and Visa to store the CVV/CVC codes in any format.

HI,

I don't understand your reply

The program collects the information and I am asking for you to send it to me, not store it. You need this option when the option is process credit cards yourself is used

Are you saying the program will not send this information via e-mail?
And that the program, if I use the other option not to send the cc info, it will not be posted on the order screen. Then how do I get it?

For those clients who process there own cc information, especially through QuickBooks this is required.

I called up my credit card processing company (Wells Farg0) and they never heard of this prohibition.

Hi,

Here is a quote from a Visa FAQ on compliance (http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_FAQ.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp.html|CISP%20Frequently%20Asked%20Questions) :
When is it acceptable to store Card Verification Value 2 (CVV2)? It is never acceptable for Acquirers, merchants, or service providers to retain CVV2, which consists of the last three digits printed on the signature panel of all Visa Cards, subsequent to transaction authorization. The Visa Operating Regulations prohibit such storage, whether encrypted or unencrypted.

Now, it is technically OK with them to have it only until the transaction is complete. We do not email it because:
1. We have no control over the email once it is sent.
2. Email can be intercepted, and is in plain, unencrypted text.
3. Email is commonly stored, and we can't write code that could result in a violation of this regulation.
4. Visa issues fines up to $500,000 for violating this policy.
5. Many customers when entering their credit card information on a website believe that the transaction is complete when they receive confirmation of this on the thank you page.

We recommend against using the email credit card number feature. You can read this recommendation in the documentation here:
http://www.squirrelcart.com/help/1.5.0/?4.5.1.2.4

If you are concerned about your customer's security, it really is best to use a payment gateway.

It is never acceptable for Acquirers, merchants, or service providers to retain CVV2, which consists of the last three digits printed on the signature panel of all Visa Cards, subsequent to transaction authorization.

Jamie,

In no way are you in violation of the terms above by submitting the CVV2 number by email or for storing it in the database. The terms clearly state that it is not acceptable to retain that information SUBSEQUENT to transaction authorization. eCommerce sites large and small regularly persist that information in website variables, on web server disk cache, in databases, and in even in emails. Once the payment transaction is AUTHORIZED that data should be purged, as it is no longer needed. I personally delete the card number as well, as I am not offering any scheduled billing based subscription services.

You seem to indicate that you are concerned about possible legal penalties for persisting that information, but the terms are clear: there is no provision aganist retaining the CVV2 number PRIOIR to transaction authorization. It wouldn't make any sense to state that the information couldn't be retained PRIOR to authorization.

I do however complete agree with you that email is insecure and not a recommended vehicle for CC data. How about if you post this info to the database, and add a function to purge it on a per record basis, so we can drop it out of the db once we've processed the payment?

If any doubt remains I'd call VISA and verify the policy with them directly. I need the Cvv2/CVC numbers to process cards on my virtual terminal, so I have to ask my customers to either fax it, email it, or leave it on my voice mail because squirrel cart wouldn't persist this required tidbit.

Cheers,
Max Hodges
Publisher
White Rabbit Press, Tokyo
www.whiterabbitpress.us

Hello Max,

We aren't changing our policy on this. The best bet in all cases is to use a payment gateway. The card code is meant to validate that the customer has the card in hand. For that reason, sending it via email or storing it in any way (even temporarily) defeats the purpose of the card code.

I am aware of the regulation and that it states it cannot be stored once the transaction is complete. The problem, however, is that once the card code is stored in any form, Squirrelcart loses control over it and can't guarantee that it won't be stored. Mail can be backed up on tape by your web host. So can MySQL databases (should we take your suggestion).

With the ever increasing amount of credit card fraud and identity theft, it is worth the extra investment to use a payment gateway in order to ensure that your customer's data is secure.

it is worth the extra investment to use a payment gateway in order to ensure that your customer's data is secure.

We have a gateway, but SquirrelCart doesn't support it!

Unfortunately the workaround is to ask the customer to leave it on our voice mail or fax it to us. We've received orders from customers in 25 countries, so the voice mail and fax option isn't appreciated (global long distance for some.) Thus, with Squirrelcart we have little choice but to email it.

Just as we were about to sign up with authorize.net, PayPal released their gateway service. I have to collect the credit card information in order to use the PayPal virtual terminal service, but Squirrelcart isn't collecting all the information we need, so the customer is being inconvenienced and we have to do a lot of extra work to get the security code from them.

if someone's credit card data is stolen, it doesn't really matter if they lose their CVC/CVVS/CID number as well, most of the largest eCommerce sites on the web (Amazon.com, Buy.com, etc.) do not ask for CVVs.

We have a gateway, but SquirrelCart doesn't support it!
Name your gateway in the Requests forum, and we will add support for it.

if someone's credit card data is stolen, it doesn't really matter if they lose their CVC/CVVS/CID number as well, most of the largest eCommerce sites on the web (Amazon.com, Buy.com, etc.) do not ask for CVVs.

The whole idea behind the card code is to add something to the card that is not stored, and is entered by the customer at the time of the transaction. Unfortunately, they have become less reliable because of some companies storing them and not protecting the data. As a result of this, it is possible to receive a fraudulent order from someone that has the card code and does not actually have the card present. With all this in mind, it is still a good indicator of the likelihood that the customer actually has the card.

our gateway is PayPal's new cc processor...

how about this: what if squirrelcart emails both the CC and the CVVs but ONLY to separate email accounts on different domains? LINKD by the order number? just a thought...I'm sure you'll shoot it down :(

our gateway is PayPal's new cc processor...

This service was just announced recently by PayPal, and we haven't had much time since the announcement to add it. There is a post elsewhere about this, and we will be adding it right after v2.0.0 is released.

how about this: what if squirrelcart emails both the CC and the CVVs but ONLY to separate email accounts on different domains? liked by the order number? just a thought...I'm sure you'll shoot it down

We aren't changing our policy on this.

Max,

Excellent idea.

Jamie, please give this serious consideration

I knew that, but also there is no commitment on the release schedule right? We have a business to run, so I don't want to sign up for another gateway and then dump it two months later when you guys are ready to handle PayPal. I would lose hundreds in sign-up fees.

Plus, I'm a bit nervous about switching to 2.0 anyway; it's a major build right? I might wait for a few patches to be released before switching.

I *think* a lot of users might prefer to have a PayPal gateway sooner than a release 2.0. Maybe surveying us would help you prioritize which features are most desired. Here's is wonderful, cheap, easy-to-use survey tool:

http://www.chumpsoft.com/products/phpq/

LIke I know you are working to make the admin control function in Firefox, but I myself use Firefox whenever I can, but I'm perfectly willing to switch to IE just to do admin functions. SO there are other things, like an affiliate program and a custom-weight based shipping table, that I would give much higher priority too. We ship to 25 countries from warehouses in the US and Japan and Squirrelcart isn't able to handle our shipping needs. I've purchased 3 copies of SquirrelCart, but one of our sites has really grow to the point where it might make sense to switch to something which can be customized to address our shipping needs. I'd really get a solution from you, and I'm willing to pay something for it, but so far I've never been taken up on my offer.

Anyway, a survey might help you guys understand what is really important to us. I have chumpsoft's survey tool on my site, so maybe I can put together my own survey in order to quantify demand for future features.

best regards,
Max

Max,

We have a business to run here as well. v2.0.0 is pretty much completed, barring our FedEx CSP certification. It's already out as a beta, and should be out as a stable release very soon. We will then be adding PayPal's brand new (released on June 20th) payment services after that. We don't need a survey to realize the need for this. We've gotten many requests in both email and in the forums. The schedule for this can't be changed, unless you can find a way to add more hours to the day.

This thread has been locked. We are not changing our policy on sending or storing the card security code, so it is pointless to discuss it further. I have made this very clear a few times already in this thread.

Any new threads regarding this topic will be deleted.