OFBiz › OFBiz - User

Ofbiz and saved credit card info

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

9 messages Options

rhodebump

Ofbiz and saved credit card info

Hi everyone,

It appears that ofbiz is saving credit card information. While there is sometimes a business need to do this, very often, there is not. For example, with cybersource and verisign, all you need to store is the authorization code. With the authorization code, you can perform settlements, and returns. Of course, there could be an back-office process that runs credit cards, so it would be necessary in that case.

I am bringing this issue up because holding this information is a risk. It would be nice if ofbiz could provide a means by which organizations would be able to opt out of having credit card information stored for their customers.

If I am mistaken, or mislead, or off my rocker, please dish me out some punishment!

Thanks.

Phillip

Jacques Le Roux

Re: Ofbiz and saved credit card info

Administrator

De : "Phillip Rhodes" <[hidden email]>

> Hi everyone,
>
> It appears that ofbiz is saving credit card information. While there is sometimes a business need to do this, very often, there
is not. For example, with cybersource and verisign, all you need to store is the authorization code. With the authorization code,
you can perform settlements, and returns. Of course, there could be an back-office process that runs credit cards, so it would be
necessary in that case.
>
> I am bringing this issue up because holding this information is a risk. It would be nice if ofbiz could provide a means by which
organizations would be able to opt out of having credit card information stored for their customers.

This is an interesting idea, but you should also consider that if for any reasons you need to re-authorise the card you will not be
able to (there are some cases you will need to do that : amount change - not able to deliver all -, etc.)

YMMV suiving your payments provider (though I guess an auth is not a re-auth everywhere in the world)

Jacques

wikitec

RE: Ofbiz and saved credit card info - high risk factor - must be a better way

Yes I have to agree Philip ... This is not only a very high risk because it
encourages hackers to break in to obtain this valuable information and in
my opinion it is only asking for trouble.

Looking at the business process of re-authorizing the card in case of
refunding the customer. I am confident there is a way of covering
're-authorise the card' rather than storing credit card details. Or at least
giving the shop owner a way of stopping storing credit card details as I
know I and many other will not use this feature because of the obvious
dangers involved.

Thanks

Phil

> -----Original Message-----
> From: Jacques Le Roux [mailto:[hidden email]]
> Sent: Monday, 22 October 2007 5:58 PM
> To: [hidden email]
> Subject: Re: Ofbiz and saved credit card info
>
> De : "Phillip Rhodes" <[hidden email]>
>
>
> > Hi everyone,
> >
> > It appears that ofbiz is saving credit card information. While there is
> sometimes a business need to do this, very often, there
> is not. For example, with cybersource and verisign, all you need to store
> is the authorization code. With the authorization code,
> you can perform settlements, and returns. Of course, there could be an
> back-office process that runs credit cards, so it would be
> necessary in that case.
> >
> > I am bringing this issue up because holding this information is a risk.
> It would be nice if ofbiz could provide a means by which
> organizations would be able to opt out of having credit card information
> stored for their customers.
>
> This is an interesting idea, but you should also consider that if for any
> reasons you need to re-authorise the card you will not be
> able to (there are some cases you will need to do that : amount change -
> not able to deliver all -, etc.)
>
> YMMV suiving your payments provider (though I guess an auth is not a re-
> auth everywhere in the world)
>
> Jacques

David E Jones

Re: Ofbiz and saved credit card info - high risk factor - must be a better way

This is totally up to the business running OFBiz. Obviously different
businesses have different policies.

It wouldn't be too hard to change the ecommerce and order processing
stuff to either not save CC info to the database at all, or to just
remove the information after the initial authorization is complete.

I don't think you can do a re-auth without the CC info, that is
usually considered a separate transaction anyway. Of course, if you
ship things quickly and either rarely or never take backorders, then
it shouldn't be needed.

All by company policy... there are endless combinations of these
options and some are available through configuration options and some
require small code changes, or add-in code or whatever.

OFBiz doesn't enforce or require any policy, but default settings are
basically meant to represent the most common requirements we see, aka
"best practices".

-David

On Oct 31, 2007, at 2:03 AM, Philip Laing wrote:

>
> Yes I have to agree Philip ... This is not only a very high risk
> because it
> encourages hackers to break in to obtain this valuable information
> and in
> my opinion it is only asking for trouble.
>
> Looking at the business process of re-authorizing the card in case of
> refunding the customer. I am confident there is a way of covering
> 're-authorise the card' rather than storing credit card details. Or
> at least
> giving the shop owner a way of stopping storing credit card details
> as I
> know I and many other will not use this feature because of the obvious
> dangers involved.
>
> Thanks
>
> Phil
>
>> -----Original Message-----
>> From: Jacques Le Roux [mailto:[hidden email]]
>> Sent: Monday, 22 October 2007 5:58 PM
>> To: [hidden email]
>> Subject: Re: Ofbiz and saved credit card info
>>
>> De : "Phillip Rhodes" <[hidden email]>
>>
>>
>>> Hi everyone,
>>>
>>> It appears that ofbiz is saving credit card information. While
>>> there is
>> sometimes a business need to do this, very often, there
>> is not. For example, with cybersource and verisign, all you need
>> to store
>> is the authorization code. With the authorization code,
>> you can perform settlements, and returns. Of course, there could
>> be an
>> back-office process that runs credit cards, so it would be
>> necessary in that case.
>>>
>>> I am bringing this issue up because holding this information is a
>>> risk.
>> It would be nice if ofbiz could provide a means by which
>> organizations would be able to opt out of having credit card
>> information
>> stored for their customers.
>>
>> This is an interesting idea, but you should also consider that if
>> for any
>> reasons you need to re-authorise the card you will not be
>> able to (there are some cases you will need to do that : amount
>> change -
>> not able to deliver all -, etc.)
>>
>> YMMV suiving your payments provider (though I guess an auth is not
>> a re-
>> auth everywhere in the world)
>>
>> Jacques
>

smime.p7s (3K) Download Attachment

SREEVANI

Opening ofbiz in Eclipse

Hi
I am trying to import the ofbiz project to the eclipse workspace
Getting lot of errors

1.
LocalXAConnectionFactory cannot be resolved to a type
Resource-- DBCPConnectionFactory.java
Path --ofbiz/framework/entity/src/org/ofbiz/entity/connection
2.ManagedDataSource cannot be resolved to a type
DBCPConnectionFactory.java
ofbiz/framework/entity/src/org/ofbiz/entity/connection

How should this be fixed?
What is the starting point for looking into the ofbiz code
Have had a look at the application browsing thro' the webtools URL

Regards
Sreevani

Jacques Le Roux

Re: Opening ofbiz in Eclipse

Administrator

http://docs.ofbiz.org/display/OFBIZ/Eclipse+Tips
http://docs.ofbiz.org/display/OFBIZ/Running+and+Debugging+OFBiz+in+Eclipse

Jacques

De : <[hidden email]>

> Hi
> I am trying to import the ofbiz project to the eclipse workspace
> Getting lot of errors
>
> 1.
> LocalXAConnectionFactory cannot be resolved to a type
> Resource-- DBCPConnectionFactory.java
> Path --ofbiz/framework/entity/src/org/ofbiz/entity/connection
> 2.ManagedDataSource cannot be resolved to a type
> DBCPConnectionFactory.java
> ofbiz/framework/entity/src/org/ofbiz/entity/connection
>
>
> How should this be fixed?
> What is the starting point for looking into the ofbiz code
> Have had a look at the application browsing thro' the webtools URL
>
>
> Regards
> Sreevani
>
>

rajsaini

Re: Opening ofbiz in Eclipse

In reply to this post by SREEVANI

I faced the similar problem. It looks the DBCP jar is not in the classpath.

It seems it happens due the the DBCP jar not in the class path. You can
update the classpath throught Project Properties -> Buid Path -> Add
jar. You may also need to add the xpool jar

Thanks,

Raj
[hidden email] wrote:

Jacopo Cappellato

Re: Opening ofbiz in Eclipse

rev. 590620 should fix the issue.

Jacopo

Raj Saini wrote:

> I faced the similar problem. It looks the DBCP jar is not in the classpath.
>
> It seems it happens due the the DBCP jar not in the class path. You can
> update the classpath throught Project Properties -> Buid Path -> Add
> jar. You may also need to add the xpool jar
>
> Thanks,
>
> Raj
> [hidden email] wrote:
>> Hi
>> I am trying to import the ofbiz project to the eclipse workspace
>> Getting lot of errors
>>
>> 1.
>> LocalXAConnectionFactory cannot be resolved to a type
>> Resource-- DBCPConnectionFactory.java
>> Path --ofbiz/framework/entity/src/org/ofbiz/entity/connection
>> 2.ManagedDataSource cannot be resolved to a type
>> DBCPConnectionFactory.java
>> ofbiz/framework/entity/src/org/ofbiz/entity/connection
>>
>>
>> How should this be fixed?
>> What is the starting point for looking into the ofbiz code
>> Have had a look at the application browsing thro' the webtools URL
>>
>>
>> Regards
>> Sreevani
>>
>>
>>
>>

wikitec

RE: Ofbiz and saved credit card info - high risk factor - must be a better way

In reply to this post by David E Jones

Thanks David
I concur ... I am not sure what ofbiz default is set on however the fact
that businesses have a choice either way is very good. I am sure with what
I have seen from ofbiz it would not be too hard to configure either way
either

cheers

> -----Original Message-----
> From: David E Jones [mailto:[hidden email]]
> Sent: Wednesday, 31 October 2007 7:25 PM
> To: [hidden email]
> Subject: Re: Ofbiz and saved credit card info - high risk factor - must be
> a better way
>
>
> This is totally up to the business running OFBiz. Obviously different
> businesses have different policies.
>
> It wouldn't be too hard to change the ecommerce and order processing
> stuff to either not save CC info to the database at all, or to just
> remove the information after the initial authorization is complete.
>
> I don't think you can do a re-auth without the CC info, that is
> usually considered a separate transaction anyway. Of course, if you
> ship things quickly and either rarely or never take backorders, then
> it shouldn't be needed.
>
> All by company policy... there are endless combinations of these
> options and some are available through configuration options and some
> require small code changes, or add-in code or whatever.
>
> OFBiz doesn't enforce or require any policy, but default settings are
> basically meant to represent the most common requirements we see, aka
> "best practices".
>
> -David
>
>
> On Oct 31, 2007, at 2:03 AM, Philip Laing wrote:
>
> >
> > Yes I have to agree Philip ... This is not only a very high risk
> > because it
> > encourages hackers to break in to obtain this valuable information
> > and in
> > my opinion it is only asking for trouble.
> >
> > Looking at the business process of re-authorizing the card in case of
> > refunding the customer. I am confident there is a way of covering
> > 're-authorise the card' rather than storing credit card details. Or
> > at least
> > giving the shop owner a way of stopping storing credit card details
> > as I
> > know I and many other will not use this feature because of the obvious
> > dangers involved.
> >
> > Thanks
> >
> > Phil
> >
> >> -----Original Message-----
> >> From: Jacques Le Roux [mailto:[hidden email]]
> >> Sent: Monday, 22 October 2007 5:58 PM
> >> To: [hidden email]
> >> Subject: Re: Ofbiz and saved credit card info
> >>
> >> De : "Phillip Rhodes" <[hidden email]>
> >>
> >>
> >>> Hi everyone,
> >>>
> >>> It appears that ofbiz is saving credit card information. While
> >>> there is
> >> sometimes a business need to do this, very often, there
> >> is not. For example, with cybersource and verisign, all you need
> >> to store
> >> is the authorization code. With the authorization code,
> >> you can perform settlements, and returns. Of course, there could
> >> be an
> >> back-office process that runs credit cards, so it would be
> >> necessary in that case.
> >>>
> >>> I am bringing this issue up because holding this information is a
> >>> risk.
> >> It would be nice if ofbiz could provide a means by which
> >> organizations would be able to opt out of having credit card
> >> information
> >> stored for their customers.
> >>
> >> This is an interesting idea, but you should also consider that if
> >> for any
> >> reasons you need to re-authorise the card you will not be
> >> able to (there are some cases you will need to do that : amount
> >> change -
> >> not able to deliver all -, etc.)
> >>
> >> YMMV suiving your payments provider (though I guess an auth is not
> >> a re-
> >> auth everywhere in the world)
> >>
> >> Jacques
> >