Credit Card Number Component

Well this is both very interesting and dangerous. Thank you for sharing it with others, but I'm afraid I can't include it in Webform, as I don't want to shoulder the responsibility of people's financial information (despite this being GPL and being free from liability).

Reason being, even with AES encryption on the server-side, there's no way I can assure that users are submitting the data through SSL. So even though using this the data is encrypted on the server, during transit the information is still insecure (or possibly can be, if you've setup https on your server then you're probably in pretty good shape).

So I hope you understand my position, but thanks again for sharing. I'll leave it available here for others.

@primerg are you available to update your component to make it work with Webform 3.x?

I'll chime in with JDBlank... primerg, any chance you can upgrade this for 3?

Actually we ended up coming up with a new component for web form called "Encrypted Field." It is more generic than CC_Number and can be used for any data that you want stored in an encrypted format.

We are not sure the process for releasing this as it is not really a module but a component of Webform.

Understood JDBlank. I need to encrypt/SSL the field, but I also want to confirm that the number is actually a valid credit card number.

I'm taking the information online, then staff contacts the person to finalise the transaction details.

Here is the component we built, updated for webforms 3.0 plugin api.

It does not validate for ccnumber, I don't immediately see how validation should be done but I did leave the validation method from the original plugin commented out at the bottom of the .inc file. We may end up doing it eventually and if so I will repost that.

Also, we noticed that if you place the encrypted field in a fieldset with other fields and you set the other fields to email, it will always email the encrypted field as well. Not sure if that's a bug in webform itself but thought I would mention it.

-A

Any plans of making #10 into a full module in drupal.org? (or is it already there?)

This is very useful, thanks for posting. It would be nice to have it introduced to the community at large but unfortunately without proper security measures people could do a world of harm.

Hi primerg,

I followed your instructions and the option ccnumber does not show up in form type. Ran update.php, disabled / enabled the module. Any ideas?

I have ssl on the form. My client needs a way to store cc numbers (I know this is not safe). They dont need to be charged at the time of tour booking, only in the event they dont show up for a tour - then charged a deposit. I would like to store the cc number until a week after the tour date, then delete it. Could I automate this process?

David

Thanks.

Bummer, I am getting the error :The webform component encrypted is not able to be displayed. Any ideas?

Thanks

EDIT:

*I moved the files into the wrong locations. Got it sorted out*

I just want to say you all are awesome. Thanks very much for all the work and support on these modules and add-ons.

David

well... how does one mark a comment as spam?

I believe you need to post to the webmaster's mailing list at webmasters@drupal.org

Just wanted to confirm that #10 works for us. Thanks very much for this.

To beef up quicksketch's warning in #2 - There are VERY strict rules around best practices when dealing with and/or storing credit card numbers. Fines for maladministration can run in the millions of USD. Before you implement this willy-nilly, please acquaint yourselves with the risks and requirements: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Removing spam tag.