0

I am working with a client to migrate their 12 year old ecommerce site to a more modern platform. The manner in which they process credit cards is something I don't have experience with, and either I can't seem to punch the right combination of words to get google to spit out what i'm looking for, or this is an oddity.

Their business does not process any credit card transactions itself. They use mals ecommerce shopping cart, and when customers place orders, the credit card information is stored there, but not processed. Their partner then logs into Mals and is able to retrieve all the card information and then process it externally on their own equipment.

  1. Is there a common name for this process
  2. Is this an acceptable practice (It seems kinda sketchy to me)
  3. If so, can someone point me in the right direction for research
Kyle
  • 271
  • 1
  • 2
  • 10
  • From a pci and security standpoint this is not really a practice. Will each partner have a magento admin username/password and will the be allow to see all orders? – MagePal Extensions Oct 08 '14 at 16:00
  • Yes, they would have that. I want nothing to do with storing card data in magento, and it seems like the services i'm looking at integrating with magento offer tokenized access to card data, and not access to card information itself. – Kyle Oct 08 '14 at 18:48
  • The term you're looking for is known as "Futureproofing yourself back to 1996". Time to move forward, get better rates on your credit card fees, use a gateway to process the cards using far more secure card processing that Magento encourages you to use. Then you can use the processor's web interface to take care of exactly what you do with all those card numbers without having all those card numbers laying around waiting to be ripped off. **They need to change their process to at least 2012 instead of staying stuck in 1998** – Fiasco Labs Oct 09 '14 at 02:10
  • One of several problems with this setup is that as part of your compliancy process you would be required to ensure that all these third parties are also fully PCI compliant; You cannot become compliant if they are not. This question is possibly better suited to http://security.stackexchange.com – Alex K. Oct 09 '14 at 10:58
  • I understand it's time to move forward. Which is why i'm looking for a path. If they processed cards, and have a merchant account, it would be easy. However the business never processes payment for any reason, they just hold credit card numbers for other businesses to process. This works fine in the Mal's ECommerce platform, but that platform is in direct competition with more modern platforms, such as magento. They modify products by doing direct database modifications. It's ridiculous, but I am trying to find a path to 2014. Maybe it's just customizing something to tie magento in. – Kyle Oct 10 '14 at 18:56
  • Perhaps try asking at the sister site http://magento.stackexchange.com/ – Alex K. Oct 11 '14 at 14:08
  • Sorry I didn't notice this earlier. "they just hold credit card numbers for other businesses to process". That is the definition of a 'payment gateway' or 'payment service provider' in the eyes of PCI compliance. Your easiest path forward is to migrate to a modern 3rd party payment service provider that you pass card details to, and returns tokens for you to store. If you're determined to hold onto the raw card data, then the full weight of PCI compliance bears down on you, and other questions like this: http://stackoverflow.com/questions/3770151 may be useful – PaulG Oct 23 '14 at 07:14
  • Thanks for all the input. I'm trying to convince the 70 year old owner to modernize completely. I appreciate all the comments. – Kyle Oct 31 '14 at 16:38

0 Answers0