offline credit card processing

This is not possible.

There is no way to securely encrypt the credit card. The web site needs the private key to encrypt the card number and if it is stored locally the system has both the private key and the encrypted credit card.

This means that if the site is comprimised the attacher has both the private key and the credit card which he is able to decrypt.

There is no way of doing this safely on a single server model.

Even if you identify a sound solution, the problem would then be finding someone willing to code it.

You cannot hold a credit card on the web site securely.

Companies like Amazon have have massive backend systems which are completely firewalled, and protected from the outside world, which allow the credit cards to be stored. Then the front end system just passes a token the specilizied payment gateway which get the credit card from the secure storage to then pass it to the bank.

The required infrustructure, and time to create the system would be cost prohibitive to the majority of people who would be using E-Commerce.

Also most 1 way encryption methods can be reversed. This includes MD5(), which is used for a lot of password schemes such as linux and Drupal.

I would love to help code drupal to allow this, however this is a mimimum of two years of work away.
It isn't just about security either, there is auditing too. To say it is a massive undertaking is an understatement, even big banks
struggle with the requirements.

This is a basic overview of what is required:
http://usa.visa.com/download/business/accepting_visa/ops_risk_management...

It is one thing to say you can do it and another to actually get certified. Most PSP's (even the big boys) would probably have had a lot of work to do to get certified, it isn't exactly a walk in the park (otherwise every Tom, Dick and Harry would do it).

This is basically why 90%+ of merchants will use a PSP rather than store the details themselves, I know there are companies that probably do store credit card details without the correct security, but if they get caught, the bill will be a little on the large side -that and the fact that they will probably never be able to handle credit cards again.

THIS IS IMPORTANT.

Don't waste your time looking for manual credit card processing modules. If you do find any, they will not be secure.

BEFORE YOU PRESS THE BACK BUTTON STOP AND THINK ABOUT THAT.

Manual credit card processing requires you to store card details. Encryption is just smoke and mirrors because you will have another page on your site that decrypts the credit card details so they can be read in order for you to manually process it. If I gain access to your website, by hacking either drupal, or your webhost (which is quite possible), or just sniffing your FTP connections, I can gain access to the code required to decrypt your credit card information.

To do it securely, you need to follow the requirements laid out in the PCI document deadmalc linked to in a previous comment. If you need to convince yourself or someone else that storing credit card information is a stupid idea, read that document.

There are a number of low cost payment gateways out there, that you can securely interact with. Paypal is just one.

The best way to handle this is to use a payment gateway that allows you to tokenize the billing information. You can then submit, and discard the credit card information, storing the token in your database. Subsequent transactions are then issued against the token. This eliminates the need to store credit card information and greatly reduces the merchant's risk.

For more information on this type of setup: http://www.transaxgateway.com/Customer-Vault/Payment-Customer-Vault.asp

I definitely agree that this form of credit card processing seems difficult to accomplish and have the merchant not be at risk. Even if a solution is found having someone code it will be quite a task.

Please be aware that this issue goes WELL beyond even Cage's sage caution of this being "quite a task." Cage and others are very rightly and strongly suggesting to not even begin to think that you can do this.

The PCI Security Standards are _extremely_ rigorous and non-compliance can be an ultra-liability where a single breach could put you out of business and/or result in such financial liabilities that you and your business would be bankrupt from now until the proverbial cows come home. And keep in mind, ignorance of the standard is no defense in the event of a breach.

For more information see: https://www.pcisecuritystandards.org/index.shtml

In short, I do not believe you can reasonably create and maintain a PCI compliant system without using a payment processing partner with the scale and knowledge to do the "heavy-lifting" of meeting these standards.

--Sohodojo Jim--