Need Offline Credit Card Gateway

[m0hamedessam]

Any chance for Offline Credit Card Gateway for blesta its very important !!

[Michael]

You may need to explain what you need mate, you can use PayPal here or pro to take payments offline.

[m0hamedessam]

http://docs.whmcs.com/Offline_Credit_Card

[Michael]

Oh I see like a offline payment but for cards.

[m0hamedessam]

Oh I see like a offline payment but for cards.

yes for cc process machine and virtual terminal

[xison]

The problem falls with PCI-DSS Compliance rules & regs.

While I know you do not need the CVC (Card Verification Code) for this type of payment, it is still always best not to store card information locally. Even with public/private key encryption, it still is a risk that should be considered.

I know the Blesta team is very cautious when it comes to security, but I still think they may not want to develop it.

[m0hamedessam]

The problem falls with PCI-DSS Compliance rules & regs.

While I know you do not need the CVC (Card Verification Code) for this type of payment, it is still always best not to store card information locally. Even with public/private key encryption, it still is a risk that should be considered.

I know the Blesta team is very cautious when it comes to security, but I still think they may not want to develop it.

 

 

The credit card information is split into 2 parts, one is sent to your email while the other is saved in the store. The version that is saved in the store is MCRYPT_RIJNDAEL_256 and base64 using a 40 character randomly generated key that is md5 hashed.

 

Compliance Mode:

- Cardholder name, Card Type, Exp Date are stored in Database

- Card number stored in database like this: xxxx42526325xxxx (and encrypted)

- First and Last 4 (or 3 for Amex) are sent via email to the store owner email like this: 4242xxxxxxxx4563

- CVV is emailed but not stored in the database

- Cardholder name is NOT sent with the email

[Cody]

The credit card information is split into 2 parts, one is sent to your email while the other is saved in the store. The version that is saved in the store is MCRYPT_RIJNDAEL_256 and base64 using a 40 character randomly generated key that is md5 hashed.

 

Compliance Mode:

- Cardholder name, Card Type, Exp Date are stored in Database

- Card number stored in database like this: xxxx42526325xxxx (and encrypted)

- First and Last 4 (or 3 for Amex) are sent via email to the store owner email like this: 4242xxxxxxxx4563

- CVV is emailed but not stored in the database

- Cardholder name is NOT sent with the email

 

Mastercard/Visa rules are clear that the CVV may not be stored in any form. Sending the CVV over email is storing as the message is sent to a mail server where it is retained. Moreover, sending any card data over email is extremely insecure, especially in plain-text.

 

All that's needed to process a card in most instances is the number, expiration date, and CVV. If the email contained the CVV, and 8-digits of the card number, it's entirely possible to guess the expiration date and the other 8 digits, as the first four digits tell you the card type and the Luhn alogrithm narrows it down significantly.

 

PCI also states that any portion of the card number stored must be encrypted. This includes the last four digits as well, so again, sending that in plain-text over email is a big no-no.

[Michael]

Sounds like it's best if the client phone you up and you use the manual system to do it.

[Cody]

I suppose a payment gateway could be greated that prenteded to process a card, but instead sent an email to a staff member to notify them of a manual payment being required. The staff member would need to log into Blesta to view the card details. The CVV would, obviously, not be available at that point. If CVV is required the only logical solution is to either process payment with customer on the phone, in person, or via an online payment gateway.

[xison]

In my experience, I've yet to encounter a card terminal that requires the CVV in order to process a card-not-present transaction.