Credit card entry option on the order edit form in store admin is misleading and cannot work - remove [#597022]

Hi,

I kept getting "CardNumber length invalid" messages and Invalid Transactions with my payment gateway, SagePay, but only when the client manually built an order. Investigating further, I printed the $order object where it was being used to build the form in the form function and saw that $order->payment_details['cc_number'] only contained the last four digits.

So I decided to decrypt and check $order->data['cc_data'], the encrypted card data, using:

      // Initialize the encryption key and class.
      $key = uc_credit_encryption_key();
      $crypt = new uc_encryption_class;

      // Save the unencrypted CC details for the duration of this request.
      $cc_cache = unserialize($crypt->decrypt($key, $order->data['cc_data']));
      print_r($cc_cache);

And sure enough, again, just the last four digits.

Clearly the card data is not sticking around in a full enough form to be able to process a transaction later, after it has been applied to an order.

Comment	File	Size	Author
#6	uc_credit_order_edit_details_5.patch	819 bytes	rszrama
#6	uc_credit_order_edit_details_6.patch	819 bytes	rszrama
#2	597022-uc_remove_card_form.patch	667 bytes	greg.harvey

Comments

Comment #1

greg.harvey

English

Occitanie, France

commented 6 October 2009 at 13:18

Title:	The credit card terminal tries to sent only the last four digits of the card number to payment gateways (Process card form)	» Credit card entry option on the order edit form in store admin is misleading and cannot work - remove
Priority:	Critical	» Normal

This turned out to be confusion caused by the UI. You can enter (and my client was entering) card data on the preceding screen, edit order, but if you do that then UC cannot save the card data and be PCI DSS compliant, as I understand it. So it doesn't.

Which begs the question, why is that there at all? It's misleading and confusing. IMHO it should be removed.