Offline Processing - Missing validation number

HjaltlandHjaltland Member
in Bugs & Feature Requests edited September 2007
Hi, I've setup a UK-based FoxyCart store, for a client, with offline processing - thanks for adding the necessary features! However, there's two things preventing me from launching:

1. The checkout does not ask for the 3-digit validation number. Can this feature please be added?

2. The transaction reports didn't display the credit numbers. After going through the Show Credit Cart Numbers process, only "CC# Exp. Date -" is shown under the ID column. Any ideas?

  • lukeluke FoxyCart Team
    Hello Hjaltland.

    Take a look at this thread for more information on offline processing. Legally, we're not allowed to store the 3-digit validation number, so we don't collect it for offline processing. If any other cart claims to be able to provide you with that information, they are breaking the law.

    As for #2... that sounds like a bug. It sounds like someone was able to submit a transaction without entering a credit card. It might be that offline processing doesn't force the credit card to be saved, which would be a problem. We force a save for subscriptions, but we may have missed it for offline processing. We'll take a look at that and get back to you shortly.
  • lukeluke FoxyCart Team
    Hjaltland, which store are you referring to? Is it Shetland? If so, I don't see that any transactions have been processed yet. Please reply with the store you're referring to.

    Also, for reasons mentioned in the thread I linked to above, we don't currently include the credit card numbers in the transaction history export file.
  • Luke,

    Not that I think you should store the CVV number, but I keep hearing this reference that it is not "legal" to do so. Can you point me to the statute or regulation that prohibits the storage of such information?
  • lukeluke FoxyCart Team
    Well, maybe "legal" is not the right word... but I know it violates both Visa and MasterCards terms of service. Here's a quote from Bank of America (that's one of the first that came on Google, but all the banks and gateways have the same language):

    When is it acceptable to store CVV2 & CVC2?
    "It is never acceptable for acquirers, merchants, or service providers to retain CVV2 & CVC2, which consists of the last three digits printed on the signature panel of all Visa & MasterCard cards, subsequent to transaction authorization. The Visa & MasterCard Operating Regulations prohibit such storage, whether encrypted or unencrypted."

    from Bank of America
  • Thanks for the replies Luke. The store is indeed 'Shetland'.

    Regarding the 3-digit validation number, I understand from my client that he cannot process orders without this number.

    If he was to phone a customer and obtain the number from them, would he not face the same legal problem regarding storing the number? I did a bit of searching on Google and, as you say, the 3 digit number definitely should not be stored "subsequent to transaction authorization". But what about prior to transaction authorisation? Also, could there be a difference between the US & UK systems?

    Obviously I want to keep everyone involved secure and on the right side of the law. Having said that, my client has made it clear that he cannot process payments without the 3-digit number. Any offline payment processing option that does not ask customers for this 3-digit number is useless to him. (If anyone knows of a way he can process offline orders without the 3-digit code, I would appreciate hearing from them).

    Regarding the display credit card bug, I ran through two orders myself and the same problem still persists.

    I can see text saying "CC#” and “Exp. Date -" in the ID column, but the values for these are not shown – the system only displayed the titles/headings.

    I note that a 'delete order' feature would be handy for added security and to delete my test orders.

  • lukeluke FoxyCart Team

    Your client may be talking about a "card present" transaction, which offline processing is not. Are they using a virtual terminal to process the numbers? One organization I've worked with processes over $300,000 every month without using the CVV2. Subscriptions don't use the CVV2 either.

    Based on how I've read the documentation, at no time should the CVV2 be stored. If we went against Visa or MasterCard's regulations that could be the end of FoxyCart so obviously we won't take that risk.

    If we implemented a UK payment gateway, would that solve everyone's problems so your client could just get the money right away? Honestly, offline processing doesn't make a lot of sense when things can be done automatically.

    As for the "bug", did you check the "store my credit card for future use" checkbox when you completed the transaction? If you check that box, the credit card will be encrypted and stored when the transaction is complete. The next store version we release will force this item to be checked for offline processing.

    As for a "delete order" feature, that's the point of the "hide transaction" feature. We've discussed this with a few of our clients and everyone agreed they would not want transactions to be deleted completely, but just wanted them hidden from view.
  • Luke, I don't think it is necessary either. But the way I read that language would allow for the storage of the CVV/2 number. It is just required that it is not stored after the transaction has been authorized. If people do need it, maybe there is someway to have it automatically deleted X hours after it is viewed by the shop owner.
  • lukeluke FoxyCart Team
    Hmmm... sounds kind of shady to me. With offline processing (as an example), how would we know exactly when the transaction was charged? What happens when someone views it, but doesn't charge it right then and we delete it? Or worse, we don't delete it right away (not for x hours or so) but the transaction just got charged so we're technically in violation of the terms?

    If it's not needed, it seems to make more sense to stay away from it.

    If this becomes a concern that a lot of people have or if other major, reputable shopping cart companies do it this way, then I'm all for it. Even in that case, I'd probably want to call up someone from Visa and MasterCard just to be sure though.
  • Hey Luke,

    I'm having the same problems as Hjaltland. I have a store set up for "offline processing" as well and I just did a test run with my own credit card and it did not store the credit card information either. I know you mentioned in the future you will set it up so that they don't have the choice to store the information for future use. You had said above:
    As for the "bug", did you check the "store my credit card for future use" checkbox when you completed the transaction? If you check that box, the credit card will be encrypted and stored when the transaction is complete. The next store version we release will force this item to be checked for offline processing.

    As will probably happen, most of the customers who enter their credit card information will not instinctively click on the "store my credit card for future use" thus defeating the purpose of offline processing.

    I guess I'm in a bit of a bind b/c I'm launching this sign up tomorrow for a local company and they're expecting sign ups tomorrow (actually's 12:20 in the morning now) for a conference.

    Any suggestions? Otherwise, I'm in trouble! :)
  • lukeluke FoxyCart Team
    I was planing on fixing this over the weekend, but unfortunately I never got around to it. Never fear, you can handle it rather easily with a little bit of JavaScript. Just add this somewhere after ^^checkout^^ in your template:
    <script type="text/javascript" charset="utf-8">
    	$j("#save_cc").click(function() {
    		this.checked = true;
    	$j("#save_cc").get(0).checked = true;

    That will check it by default and keep it checked.
  • Thank you so much for handling that've saved my life!

    Among many reasons, this is the thing that keeps bringing me back to Foxy Cart...the way you guys handle things so quickly! Thanks a million times over!
  • Thanks Luke, the javascript code fixed the credit card number storage problem for me too.
Sign In or Register to comment.