Credit card

The credit card settings fieldset on the payment methods tab is quite extensive and may be a little confusing at first. Use this document to wade your way through the settings to arrive at the proper setup for your needs.

Credit card data security

Security is extremely important for websites handling customer credit card data. You should be as careful as possible in the way you protect the data to prevent credit card fraud. Please be sure you are selecting the right options, as some choices may decrease the security of credit card data on your website and should be avoided if at all possible. Most payment gateways will require compliance with a set of security standards called the PCI DSS. When the Ubercart credit card module is used in conjunction with an SSL certificate and Drupal's Secure Pages module, your site will conform to these standards.

First, you must configure the encryption settings for card data during checkout. To do this, you'll need to fill in the filepath textfield. Here you should specify a folder that is outside of your document root (i.e. not in your www or public_html directory) where Ubercart can create a file to hold an encryption key. You will need to grant permissions on the folder that allow Drupal to write to it, but you can change this once the encryption key file has been created. Relative paths will be resolved relative to the Drupal installation directory, so if you have a directory structure like the following:

mysite
mysite/www <-- Drupal installed here.
mysite/keys

You would be able to specify ../keys on Encryption key directory field and Drupal will make sure the credit card encryption key is created in the proper directory. For security reasons, you should not use your site's files directory except in testing.

There is also a credit card debug mode that you can use when testing or to store encrypted card data with orders for offline processing. This may open you up to vulnerabilities, but you should be aware that even in debug mode Ubercart will truncate credit card numbers to the last 4 digits when a card gets processed. This is in accordance with the PCI DSS restriction that full card numbers and expiration dates should not be stored locally after a card has been authorized/charged. If you must use debug mode for offline processing, you should either manually wipe the numbers or use the "Debug mode data clearing" options on this form to make sure credit card data is not stored any longer than necessary. You may need to consult your terms of service with your payment processor to make sure this method is even possible according to your contract.

Finally, credit card masking by default applies to all users of the site, but it is possible in your user access control settings for you to designate roles that can view whole CC numbers when they're stored.

Checkout workflow

These options or for automated validation and processing of credit cards during checkout. If you choose to validate numbers, when a customer tries to review an order with an invalid number, they will not be allowed to proceed and will see an error message indicating their card number is incorrect. If you're curious how we do that, check out this article. The second checkbox lets you attempt to process cards during checkout when a customer clicks the submit order button from the review page. If the charge or authorization fails, an error message will be displayed and checkout won't complete. Otherwise the card will be processed and payment entered if necessary. This setting must be on to process credit cards if you are not operating in debug mode.

Debug mode data clearing

These fields allow you to wipe debug credit card data out of the database when orders reach a certain age. This only applies when you're operating in debug mode, because normally orders will not store any credit card data except the last 4 digits of the card number. Use this setting to make sure stale debug data doesn't hang around longer than expected, especially if you're storing card numbers for offline processing. You simply specify an order status and a length of elapsed time to have Ubercart automatically wipe out the credit card data. By default, orders with the Completed status that are at least 3 days old will be cleared. Cron must be running on your website, or the Poor Man's Cron module must be used, in order for this feature to function. See http://drupal.org/cron for details on how to ensure cron is configured on your server. Failure to use cron will result in all encrypted credit card data being stored indefinitely.

Credit card fields

Use these checkboxes to specify what type of information you need to collect during checkout. Consult your payment processor or gateway documentation to see if any of these fields are required for you to process cards. If you enable a card type select selection, you will need to make sure you list out the names of the cards you want in the select list. We recommend against this if at all possible, as it does not work in conjunction with the fieldset below for accepted card types. This is left for you to manually configure in case your store wants to represent card names differently or add card types not included in the checkboxes.

Accepted card types

As the help text suggests, you should use the checkboxes to specify which icons get shown on the "Credit card" radio select in the payment method selection options at checkout. These selections will also be used for credit card number validation if it is enabled.

Customer messages

These fields are self-explanatory and come with default messages that may serve you just fine. Change them to include links or other information if you wish, but remember it's good to either keep your customers in the checkout process or on the phone with you!