The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

[Resolved] Offline Processing

hcabboshcabbos Member
in Bugs & Feature Requests edited August 2007
Do you plan on integrating offline payments? Your cart would be perfect for this as a lot of smaller companies have offline credit card processing terminals. If FoxyCart could provide a way to submit credit card info, keep it encrypted, and then provide a way to access the order details, this cart would satisfy a big hole. http://www.phpcart.net/ supports this but not with the clean, XHTML integration that I see in your product.
Comments
  • lukeluke FoxyCart Team
    We've actually thrown around this idea a few times. With PCI compliance and the general concern with internet security in general, I have some reservations about allowing store owners to access credit card information offline. We currently encrypt the card number before dropping it in the database. I'll have to take a look at phpcart.

    Ok, I did that... and I'm scared. I just logged into their demo admin and I see a REALLY scary opportunity for an XSS attack. With the CC info displayed right below the invoice (which is showing user inputted data), it could get messy. Also, they store the CVV code in a database which is a BIG no-no.

    It's all fun and games until someone's store gets hacked and they get sued.

    Any way, I always worry about the details, just ask Brett. If you have any good ideas about how we could keep this info private and secure, i'd be interested. The way google groups hide email addresses come to mind...
  • Yep, I know security is a big issue and I'm no big-time programmer. I'm just curious…if there's an SSL connection why isn't PHP's Mcrypt encryption library an option since it can be used to encrypt and decrypt data.I wonder how the Amazon's of the world store this info?
  • lukeluke FoxyCart Team
    Storing and encrypted information is no problem (that's what we're doing right now), the problem comes up with how to safely and securely display that information back to the store owner. It's easier to just keep it encrypted. I'll look into some options, but I think the way Google hide's email addresses make a lot of sense. It would require human activity to view the card numbers. That would ensure no automated script could steal the information.
  • Alright. Much appreciated. Perhaps before running too deeply into this, you could start a poll asking if this is even a feature that people would want. I know in the last 2 months, I've run into a couple of clients that wanted this functionality.
  • lukeluke FoxyCart Team
    Yeah, we have a few already that have requested it. It's definitely on our radar.
  • brettbrett FoxyCart Team
    Follow up question for anybody watching this thread: For our own potential liability and peace of mind, are your customers generally PCI compliant? Have they even heard of PCI?

    For those that don't know anything about it: Technically, anybody that handles a credit card number needs to be PCI compliant. There are a few payment gateways out there that require PCI compliance in order to use their gateways. The way FoxyCart is currently set up, PCI compliance should not be required for store owners, since the credit card info isn't available.

    If we make it available we might need PCI compliance on store owners ends. Is that a realistic possibility? Do you think the hassle/burden of compliance would be worth the effort if only for the store owner's peace of mind? Would your store owner clients appreciate that you're keeping them on the up and up or would they just want something easy? Just some thoughts from our internal discussions we've been having.

    PCI on Wikipedia: http://en.wikipedia.org/wiki/PCI_DSS
  • Well, let me tell you where this stands on my end. I listened to what you had to say and your points are valid. In fact, over a week ago, I discussed security issues with the client who prompted this thread. I presented them with 2 options: manual processing and automated via PayPal.

    I just heard today from them and they decided to go the route of PayPal integration. For all the effort involved in securing the credit card information when compared to the low price point for getting started with PayPal, it's just not worth it. Yes, they have offline processing capabilities but:

    1) Keeping things offline prevents them from utilizing the automated processes of PayPal and similar services to their advantage. If time is money, then duplicating efforts that could be addressed simply via PayPal isn't practical.

    2) The up-front costs of trying to secure their app were more than using the Foxycart & PayPal combo.

    So for my modest, non-profit organization, PayPal/Foxycart is the way to go. Bottom line, if you're going to use a site for making money, the client has to see the value in the decisions they make.
  • brettbrett FoxyCart Team
    Right. A lot of people will attempt to save $20/mo when it'll cost hundreds or thousands to work around the monthly fee. (Similarly, using a free/open-source ecommerce app has costs involved as well, like PCI compliance, security patches and maintenance, security certificates, etc.)

    Another good argument for using PayPal or another gateway: They generally do the fraud screening for you. We had a store that had 3 legitimate looking orders come in, but the IPs were all from Ghana. If your client is manually processing that stuff, they might miss the clues, which leads to more issues that end up costing more money down the road.

    (ModernAuthorize or CDGCommerce might be more affordable options than PayPal. Just a heads up.)
  • hi all.

    i have a 3 ecommerce clients and they all have existing physical shops and all either use and prefer to use offline payments, 2 of them would switch to modx/foxy today if offline payments was an option.

    I think it gets down to is choice - the more payment gateways foxy supports - the bigger the catchment of users.... same with shipping - my 3 clients don't use the big 3 courier companies, they take the stuff to the post office themselves - and they want to be able to set their own rates.

    keep up the good work guys =)

    0ad
  • lukeluke FoxyCart Team
    Good to know Oad, thanks for your input.

    We do flat rate shipping, btw, just not rules based (yet). We've got some neat ideas for parsing your own shipping rate XML file containing specifics as well... more on that later.

    As for your clients with physical shops, are they PCI compliant?

    For both online and physical stores, off line processing makes a lot of sense. We'll revisit this and see what we'd have to put in place to ensure all of our clients (and their clients) are PCI compliant and are taking proper steps to safeguard their customer's data.
  • lukeluke FoxyCart Team
    Ok, you asked for it... you got it. You can now view credit cards in the transaction history section. Please let me know what you think.
  • sweeeet. cheers luke. so which option do i choose in 'What payment method do you want to use?'

    as far as i can see - they do comply to the 12 PCI-DSS requirements listed on http://en.wikipedia.org/wiki/PCI_DSS. one of them has had dialogue with their bank regarding the misuse of 'customer not present' as a manual inputted credit card transaction for an online sale - but that was years ago now.

    can i change the default currency as well?
  • brettbrett FoxyCart Team
    Haha, ok so this is one of those "oh wow, are we really that stupid?" moments. We didn't add an "Offline" gateway option. We'll be adding that in the very near future, but if you need to go live immediately you could set it to the Auth.net Test gateway. (The PayPal sandbox seems to have timeout issues, so we don't recommend it.) This should work well enough for the immediate future.

    Changing the default currency: Very very good question/request. You could conceivably do it with some jQuery replacement for the time being. If you need help on that, start a new forum thread and we'll get it going for you. Obviously that's not the most ideal situation, but until we make the entire system's language strings user-editable, that's the best bet for now.

    When are you looking to go live with your stores? We can't promise anything, but if you have a launch date we'll see what we can do to make the currency symbol user-selectable.
  • lukeluke FoxyCart Team
    I've already designed the database and much of the system to anticipate different currency symbols, I haven't built it in just yet because of higher priorities (and, frankly, we didnt have any gateways that used anything but $US). We'll work to implement this in the next version release.

    Thank you so much for your patience with us as we go international. We have big dreams for FoxyCart and we see international ecommerce as the future. We always want to be instep or one step ahead of the future. We'll need your help to get there.
  • cheers guys

    very thorough responses (much appreciated... the last forum i joined that had such thorough support was modx =P)

    i will start that currency thread - my launch date for the store is 30th sept 2007.

    thanks a million

    0
  • lukeluke FoxyCart Team
    You asked for it... you got it. With the latest store release (0.2.8), offline processing is now a payment option for stores that have begun their monthly subscription. You can also view credit card numbers if your store is paid for.

    Enjoy!

    If you have any problems, please let us know so we can fix 'em. If you don't have any problems and it works rather well for you, let us know also so we can feel warm and fuzzy inside. Better yet, let your friends know. :)
  • HjaltlandHjaltland Member
    edited September 2007
    * sorry, posted in wrong discussion
  • brettbrett FoxyCart Team
    Update: We removed this offline functionality a while back. What we found was that probably 98% of merchants that wanted this either:
    1: Wanted a gateway we didn't support, or…
    2: Wanted to save $20/mo on a gateway. Or…
    3: They think they needed the card number to issue refunds.

    Since #1 is pretty easily addressed by us adding a gateway (we're up to something like ~55 or 60 different gateways now), and #2 is addressed with things like Stripe.com, we decided that supporting this wasn't worth the risk. And as far as #3 goes, we haven't yet seen a gateway that does actually require this. It might exist, but we haven't seen it.

    For the 2% of users that do have seriously advanced requirements and are fully PCI compliant, we can discuss options there, but on the whole at this point in the history of the internet and payment technologies, even if you aren't using FoxyCart you still shouldn't be touching CC#s if you can possibly avoid it :)
Sign In or Register to comment.