Displaying Payment Information

So, the actual task at hand is to allow administrators to store and view credit card information (including the credit card verification code) and process the order offline with their own existing authorization system before purging that information from the database.

Unfortunately, nobody in their right mind will provide this functionality because credit card companies (for good reason) do not want web applications to store the unique number identifying the card. That is the whole point of the number -- only the card owner and the credit card authorizer should know it, and maybe the merchant can temporarily look at it in order to pass it along. In fact, using the saved credit card module is not recommended at all for a live production site!

Storing the CCV number (even in encrypted form) will prevent your application from being PCI compliant, and will most likely violate the terms of service of the merchant. Even further, it may make the merchant negligent in failing to properly secure customer data. There is a lengthy discussion at the Magento forums, and the Magento developers (rightly) don't want anything to do with enabling this functionality. If I were one of them, I wouldn't either.

Nevertheless, many merchants want this functionality because they want to use their existing order process and bolt on an e-commerce site as a online-ified order catalog. Many credit card authorizers now require that merchants supply this number, or face hefty transaction fees without it. As a little side project in my free evenings, I've worked at providing the following functionality for Magento:

• update the existing credit card module to store the card verification number in addition to just the card number
• allow the card verification number to be displayed on the order processing page in the administration portion of the website so the customer can be charged
• add a button to the order processing page which purges the credit card number from the system once the data is no longer needed
• be as secure as possible while doing the above three inherently insecure, and arguably stupid, things
  

If you read this and decide you want to use this less secure method of storing customer data, the responsibility is completely yours. This is intended to help developers who may want to implement this functionality (for whatever crazy reason), or who may want to use these notes as the basis of enabling some completely different functionality on the order pages. I am simplying providing some notes on how I made modifications to Magento.

It would be a far better plan to just pay for the service of on-line validation with one of the many available providers, both for the security of your customer's data and for your own piece of mind.

Warning: you are reading a blog in the internet! If you need real support or advice hire a real software engineer who knows what they are doing!

Ultimately, it is your responsibility to make appropriate use of this information. I provide no support whatsoever and no assurance that making modifications to your software will not cause even the most trival inconvience nor the most dire consequences. Finally, I do not seek to profit in any way from this work and will not accept anything at all.