Credit Card Processing (39 posts)

  1. magicker
    Posted 8 years ago #

    Hi All,

    I have a client who wants a new site and a online shop. I am sure WP is the way forward for both his needs however..

    is there a plugin cart available that simply (and securely) captures and records credit card details (over ssl naturally) in much the same way as Oscommerce does?

    All the plugins I have looked at seem to insist on using paypal or authorize.net or similar and this is no good to my client.

    help... I have looked everywhere for this...


  2. Joni
    Posted 8 years ago #

    I just read about a new premium WP theme that is an ecommerce theme. I can't remember how much it cost off the top of my head but I'm pretty sure it was less than $79.

    I'll try to google and find it. It seemed to have some promise.

    And your client will prolly have to spring for an SSL certificate if he/she doesn't want to use PayPal.

    Let me try to find that theme.

  3. Joni
    Posted 8 years ago #

    Update: That theme only uses PayPal for now. Too bad.

    But .. I did find this:

    It uses payment gateways other than PayPal..

  4. magicker
    Posted 8 years ago #

    this is the problem i am having - i have looked at every e-commerce plugin i can find and they all use payment gateways or paypal..

    all i want is to collect CC info over ssl

    there must be something that can do this,

    I am now taking this client down the oscommerce route.. i dont mind oscommerce but it is clunky and a nightmare to work with.

  5. boober
    Posted 8 years ago #

    collecting and storing cc# in a sites database is way insecure and illegal in most cases. you need to use some sort of payment processor.

  6. magicker
    Posted 8 years ago #

    so every oscommerce site out there not using payment gateways are illegal???

  7. boober
    Posted 8 years ago #

    go to the oscommerce forums and read up on the subject. I build oscommerce sites too, I know the software allows it, that doesn't mean its proper. You've seen how many people come here with hacked wordpress sites. Imagine if they had a bunch of cc#s in their database.

  8. magicker
    Posted 8 years ago #

    identifying the risks is sensible but claiming that it is illegal is not very helpful.

    amazon / dabs / play etc not only hold CC details but they do so permanently.

    at least with oscommerce or a wordpress plugin with similar capability cc details would only be held for the duration of the transaction.

  9. boober
    Posted 8 years ago #

    do your homework.

  10. Michael Torbert
    WordPress Virtuoso
    Posted 8 years ago #

    It's not illegal to store credit card data, but you have to meet the PCI Standards. It is very expensive to be certified. Like boober suggested, do your homework. Here's a link with a little info, but feel free to use such tools as Google to find more.


  11. magicker
    Posted 8 years ago #

    my homework says you are lost and confused. I can find quite a few conversations which state (quite correctly) that it is illegal to store CVS (the 3 security digits) but clearly not credit card info. E-commerce would grind to a halt if what you claim is true.

  12. boober
    Posted 8 years ago #

    you cant store unencrypted cc numbers. oscommerce doesnt encrypt them, so unless you are using a contrib that encrypts the numbers, youre not PCI compliant. as of 2007 PCI compliance is not a request, or suggestion, it is now a requirement. if someone gets into your database, there are fines of up to $500,000 for EACH number breached. along with losing the ability to process cards at all.

  13. Michael Torbert
    WordPress Virtuoso
    Posted 8 years ago #

    Just a reminder to people future readers of this post looking for information. Please do your homework or consult an expert. Those of us who deal with issues such as e-commerce and laws governing it on a daily basis will be happy to help you. Keep in mind that many people contribute incorrect information to this forum and others.
    magicker is incorrect. Just because he or she can find conversations in internet forums stating something doesn't matter it true. I'm sure you could find tens of thousands of posts claiming that you can store credit card information as you see fit.
    Fact is, there are many federal laws governing Payment Card Industry and related standards, and many states have such laws as well.

  14. magicker
    Posted 8 years ago #

    hallsofmontezuma, boober

    just pull back a second there chaps. you seem to have missed my point.

    my only objection to what boober said is that he made the claim that storing credit cards is illegal. its not. being non-pci complient and storing credit card info could result in massive fines: no one is arguing about that. storing the 3 pin security numbers is a no no.

    being in the UK i have no idea what federal laws require so can't comment.

    hope this clears my thoughts up and sorry if i put anyone out - grateful for the help

  15. Michael Torbert
    WordPress Virtuoso
    Posted 8 years ago #


    Obviously, by default we would be discussing US restrictions.
    Having said that, don't post rumors that you may have read on forums as fact. People that don't know will read it and think it's true as you do.

    You said

    I can find quite a few conversations which state (quite correctly) that it is illegal to store CVS (the 3 security digits) but clearly not credit card info. E-commerce would grind to a halt if what you claim is true.

    ...which one would take to mean that you saw people on message boards or forums stating that storing credit card information is fine. You also specifically state that the e-commerce industry would grind to a halt if this weren't so.
    Most online vendors use gateways. The information is never stored on their server. The client's computer makes a secure connection with the payment gateway, and it's sent directly.
    Some people do store credit card information and don't do it legally. They then possibly post on a forum that this is fine to do. It's not.
    Amazon, etc hold credit card information and are PCI compliant. Amazon does not hold your data permanently, you must authorize them to do so.

    Having said that, there are e-commerce/shopping cart systems out there which will capture credit card information and store it in your database. If you use one of these, and the data encrypted, isn't securely transmitted to your database, which is encrypted and secure to certain standards, and the securely shown to you when you need to view it, you are allowing the possibility for someone to steal that information.
    There are so many ways for this data to be vulnerable. Obviously, the data needs to be submitted through an SSL connection. But what about when it's in the database? Is the information first encrypted? What about the database itself? Is the database secure? Is this on a shared server? What about the sys admins for the server? Linux recently had a vulnerability that allowed users with SSH access the ability to become root (admin) on the server. What about retrieving the information? Is the data securely sent back to your screen?

    You may not feel that you should have any issues with storing credit card data, and I can't speak for the UK, but American Express, Visa U.S.A., MasterCard International, Discover, JCB, and Diners Club, the United States federal government, mosts state governments, and many countries don't agree with you and certainly require that you comply with the Payment Card Industry standards.
    In fact, many gateways, such as Paypal, require you to be PCI compliant if you store the data temporarily before sending it to them.

    So, before saying things like, "e-commerce would grind to a halt" and "you're lost and confused," please follow my and Boober's advice and do your homework (not on other forums). PCI standards are readily available to vendors and consumers, and thank Hammurabi that relevant laws are as well.

  16. plat
    Posted 8 years ago #

    oh who dont' have ah problem with this surest as it is true even BK's shit chew' that i''l enough fromB''ch they gota'' ol good ol' wit' dat dat always da talk LS. they even applied to my name so tell me again how they care?4349900? and he who him or (hiom) scrupples is the best! how is the feet in the yard wire it to drive! then excuse it cause da say ah' she mautst be lieing but ha it must be nice to be whwo! they claim to be which at no time in difference do (I). is' want be like dat!

  17. Ivovic
    Posted 8 years ago #

    I agree with the last post, whatever it may say.

    As for the discussion, US or UK or AU... it doesn't matter. Storing unencrypted CC details is a no-no. Even storing them encrypted opens you up to potential issues.

    This is one of those cases where an SSL certificate simply isn't any measure of shopping safety, because people like the OP want to go around storing your CC details in clear text on a relatively open DB.

    For crying out loud, life isn't just about YOUR money. People looking to sell online *need* to do it properly.

  18. StrangeAttractor
    Posted 8 years ago #

    But .. I did find this:

    It uses payment gateways other than PayPal..

    Right now, the WP-ecommerce plugin (in link quoted above) seems to be the best game in town. It has some nice features, but it's also a bit cludgy. They have support forums on their site, but it often seems that most questions go unanswered.

    They sell commercial versions of the plugin (~$15, with some extra features) and offer (rather expensive) paid support.

    It is set up to use PayPal as a gateway, which is really just fine for most small business purposes, because a customer does not need to be a PayPal member to purchase through the gateway -- PayPal will accept payments through all of the major credit cards.

    The great advantage is that you don't have to have the huge responsibility and security headache of storing anyone's financial data in your own database. (Regardless of the legality of doing that -- as discussed above -- it would be a very stupid thing to do unless you truly knew what you were doing.)

    The paid version of WP-ecommerce also has an API thingy for some direct credit card gateways.

    This is a pretty complex plugin -- more of a mini-application -- and the development of the plugin has seemed somewhat unfocused IMO -- because, I suspect, they are trying to make this into a viable commercial enterprise and having difficulty allocating their efforts to both the free version and the paid version. That's just my opinion, however.

    Personally, I hope they keep they developing it because it works (mostly) well, and is very promising on the whole. Plus there's not much competition at this point, so...

    Anyway, I think this is what you are looking for.

    EDIT: Ah, damn, all that typing and you clearly state that you don't want a solution that uses PayPal or authorize.net. All right, well, maybe my blather above will be useful to someone looking for similar info, so I'll just let it stand.

  19. Joni
    Posted 8 years ago #

    What's wrong with PayPal? As long as your customer gets his money, what's the difference? PayPal makes sense because it is trusted and very popular (at least here in the U.S.).

    There's a lot of collective knowledge here in this forum; people would do well to listen to it once in awhile, even if it's not what they want to hear.

  20. Ivovic
    Posted 8 years ago #

    paypal has an air of unprofessionalism about it. It's strong association with ebay makes it seem like the choice of back-yard flea market hockers everywhere.

    ... and it is.

    it also dilutes your brand and does nothing to mask the fact that you're offloading your payment processing to a 3rd party. This isn't trivial to people who are less familiar with what paypal does. All of a sudden they find themselves on another website at the absolute worst moment -- when it's time to hand over their money.

    Up to that point they've made the decision to trust YOU, now they have to make the decision to trust paypal, and with ebay scams getting so much bad press, only the savvy can be trusted to differentiate.

    Beyond that, using paypal absolutely screams "I don't make enough sales to warrant a better payment gateway" -- Is that the message you want to be sending?

    It's not paypal's fault (except for the huge per-transaction fees)... it's just a symptom of being the people's choice at the grass-roots level. Sometimes a little exclusivity and obscurity is a good thing.

  21. Joni
    Posted 8 years ago #

    You callin me a backyard flea market ho? :-P

    I never thought of it that way, but for some folks it is a decent solution. And that includes me. But that might be because I'm here in the land of the crass capitalist piggy. And yes, I've heard the horror stories of having a bank account linked to PayPal only to find all your money gone and your account frozen because PayPal thought you were somehow playing fast and loose. Maybe I've just been fortunate all these years.

    But don't sheeple tend to distrust obscure things?

    There's a great whitepaper here that discusses (from the view of a non profit with a limited budget and an obvious goal of fundraising) various online payment options. Worth a read if you truly want to break away from PayPal. The site requires registration, but other than that, the PDF file (which contains some good although slightly dated info) is free to download.

  22. Ivovic
    Posted 8 years ago #

    LOL, I would never say such a thing... except while naked.

    I love the term sheeple, and I think that sheeple trust men in white coats mostly because they don't have their own white coat. If they did, they might see through the prestiege and even let a certain amount of familiarity=contempt creep into the equation.

    Paypal is so familiar and so reachable to pretty much everyone, that when it comes to running a professonal site, the impression is that if I can sell using paypal on ebay, you using paypal on your website means you're not much better at this stuff than I am.

    It might be subtle psychology and not hugely relevant to the actual transaction, but subtle psychology makes sales -- and repeat sales.

    Anyway, it has little to do with the bad press for me, and more to do with the branding. I don't want my customers to "leave" my site to have their payment processed. If paypal ever offer the ability to upload a css file I think it will shift my opinion.

    ...at that point, even if it has a big honking paypal logo on it, you look more like a paypal partner, than some schmuck selling $3 taiwanese ipod covers.

    I've rambled on again without really addressing the question... but yeah, I actually do feel like sheeple trust obscure things more than they do familiar ones, precisely because they know their own knowledge/skill level is hugely lacking.

    If they know about it, it must be crap, because there's so much they don't know.

  23. Maxaud
    Posted 8 years ago #

    sorry for bringing up this month old post but you mentioned:

    It's not paypal's fault (except for the huge per-transaction fees)... it's just a symptom of being the people's choice at the grass-roots level.

    I don't see their fees as much different then any other payment processor out there. I use both ECHO and Paypal, ECHO is 2.5%+.$.30 where Paypal is 2.9%+$.30 (both for non swiped, also Paypal doesn't charge me a $5 monthly fee like ECHO). So that would be a difference of $.40 for a $100 purchase, not much to worry about IMO.

  24. Anonymous
    Posted 8 years ago #

    I do not know the laws of individual countries however I doubt there are specific laws dealing with storage of credit card data - laws are written to be much less specific...

    That said what most people are more likely referring to is use agreements, just like a EULA. To accept Visa/MasterCard for instance you must accept their merchant agreements which dictate certain security requirements depending on your level of integration. Businesses like PayPal and Protx have a much higher level of security certification to actually store card details...

    ... On behalf of businesses using them. If you use a shopping cart or follow the APIs to accept card details then process them using PayPal/Protx you cannot store the card details yourself (except excerpts to help returning customers identify one versus another). You don't need to.

    When a transaction reports successful you generally receive a receipt. Store the receipt against the customer's details. You are often then allowed to pass subsequent transactions back to the gateway (PayPal/Protx) with the original reference to bill that card.

    There really is no need to store full card data any more. Last four digits of card number plus expiry month/year are normally sufficient.

  25. outthere
    Posted 8 years ago #

    Everyone wants to make a buck. Some off the backs of others. That's free enterprise. People have been sold on the idea of, " You must have a web Presence". At any rate, Get a real site. Call Discover, American Express, Visa. If there is money to be made. Do it right. It will take days/weeks to set everything up.
    Why would you want to store information? It makes you liable.
    Get a ssl, from your host, not some cheezy shared one and do business. Be honest. It will cost.
    Get a real website.
    I recently downloaded wp shopping cart, and hats off. it works great.
    The difference between VPASP or some other site cart on a website and a WordPress blog, well...
    I love WordPress. It brings it down to the common man. Kinda like FrontPage. And It creates a market.
    Anyway,,,,,,,,,, you decide.
    Spend some money and time. (Theirs.)

  26. Anonymous
    Posted 8 years ago #

    If you have a proper e-commerce environment (which WP is not, although I guess you could do enough coding to make it like one, but by the time you do all that work oscommerce would be looking better and better), configure it (and the server it's on) properly, and then use it to pass the CC info DIRECT to your gateway (which your merchant bank set you up with):

    a) your security risks are greatly minimized.
    b) your store doesn't need to store the CC info (you're just responsible for sending it securely back and forth from the customer to the gateway)
    c) you can still view your customer's CC info if need be (to handle a repeat sale over the phone or e-mail if they just say "use the card I used last time", for example) by logging into your gateway account. No, you won't have the CVV2, because not even a gateway provider is going to store that (it's expressly forbidden by the card company's rules).


  27. flick
    Posted 8 years ago #

    From a consumer pov (since I really haven't ever setup an e-commerce site) I'm often always glad to read that sites accept Paypal.


    Because there are some shops I will only purchase from once, and I would feel even a slight twinge of concern to know that they had my card details, even though I do trust them enough with my delivery details, who knows really? That's where Paypal - as the middle-man - comes in, I know that these stores will only receive my payment, and won't have access to my card details.

  28. richarduk
    Posted 8 years ago #

    It's relatively easy to semi-integrate e-commercetemplates with WP

    Professional e commerce cart, you then have the benefit of front end being WP for search engines and for users.

    The cart on its own is functional, and there are endless stores using it - if you're browsing the web and find a square box in the middle of an index page then that's ecommerecetemplates, usually going nowhere as there's not enough content and not enough relationship with the customers

    But the combination of WP and ECT is brilliant

  29. RoseCitySister
    Posted 8 years ago #

    Regarding PayPal - I use it to shop online - anywhere and everywhere. I like having guarantees on my purchases, what can I say?

    And so many people use Paypal that a merchant would be foolish not to offer it as a payment choice.

    Just my $2.00 on the matter! ;)

  30. tazatek
    Posted 7 years ago #

    As a credit card processing partner, I can tell you that Visa/MC are requiring PCI compliance and will actually certify that your site meets minimum requirements before issuing a merchant account.

    Matt Kettlewell

Topic Closed

This topic has been closed to new replies.

About this Topic