marc5477 Posted May 26, 2013 Share Posted May 26, 2013 (edited) Good Morning, I am doing some research on carts and so far I have narrowed it down to Zencart, OpenCart, and Presta. I ruled out Magento because it is a mess (the db is hilarious and I didnt want to deal with it). I like the cart, but I ran into a problem and I really dont have time to look at all the code. There is a problem with the Authorize.net SIM official module seen here: http://addons.presta...thorizenet.html The problem is, the content of this module appear to be the Authorize.net AIM module rather than SIM module. Open the file and look at all the titles. Further, looking at individual files in wordpad also reveals the same thing. Everything says AIM which was already part of the Presta install. Second, installing this module does not seem to do anything. Presta says that the module installed but just takes me back to the AIM module. I assume it over wrote the one that came with the installation package (1.5.4.1). There is no sign of the SIM installation anywhere. When I go to try to configure the AIM module, it looks exactly the same as the original AIM module with no indication that it is actually SIM. In fact, we see the same warning: Your website must possess a SSL certificate to use the Authorize.net AIM payment system. Which should not exist if we are indeed using SIM. I have stopped at this point. I assume that the file offered is simply the wrong one (if anyone from the Presta team can help I would appreciate it). Does anyone have the actual official SIM module that they can share? Does it even exist (has anyone ever used it)? Would love some help on this if anyone has info. Edited May 26, 2013 by marc5477 (see edit history) Link to comment Share on other sites More sharing options...
Dh42 Posted May 27, 2013 Share Posted May 27, 2013 I honestly do not know if there is a sim module. Can I ask why you want a sim integration? Link to comment Share on other sites More sharing options...
marc5477 Posted May 28, 2013 Author Share Posted May 28, 2013 We don't want any financial data nor any code relating to credit cards anywhere near our servers and networks. For legal reasons, we prefer to keep that liability on the merchant. Link to comment Share on other sites More sharing options...
Dh42 Posted May 28, 2013 Share Posted May 28, 2013 You do realize that using an aim method is just as secure and you do not store financial data either, correct? Link to comment Share on other sites More sharing options...
marc5477 Posted May 29, 2013 Author Share Posted May 29, 2013 Unless I am mistaken, AIM requires that we have html code on our server to collect CC data and possibly even a PHP variable that stores the data temporarily (I have not looked at the code that closely but I hope you get my point). It also requires a SSL cert which opens up to attack since right now, our systems are not authorized to do anything secure. Although CC data is not stored anywhere locally, it can easily be manipulated to do so with a single sql statement. The SIM method completely eliminates this problem since the code is entirely on the merchant server. Even if someone locally plays with the code, it would not help them at all since the checkout process moves entirely to the merchant system and thus also the liability and the need for heavy security measures. With SIM, the only security loophole would be if someone got access to the presta backoffice, changed our checkout method to something of their choosing (probably a hacked AIM else we would notice the lack of money transactions almost instantly), input our merchant data to the AIM module (which means they need to decrypt it first), install an SSL cert that our merchant accepts (we dont want a cert on server), and pray that we don't discover the change so that there is enough time for him to collect some CC data... clearly, this is an absurd waste of time since we are not a huge company with millions of order (we are a small grocery chain). The hacker is better off collecting soda cans from trash. Here is the crux of the problem; we intentionally have very minimal security to keep costs down. By keeping nothing of importance on our own space, we practically immunize ourselves from potential threats because there is absolutely nothing on our server of value. The worst a hacker can do is deface our website and even that is not easy because we have a script that restores the site on the fly should anything change plus there would be no point in hacking something that has minimal security so they cannot even claim that they did something monumental. I suppose after installing a cart, we will have some customer data like addresses and phone numbers but those things are of very little value without an associated credit card or ssn. Further, we will probably remove that functionality from the cart as well (force guest checkout) to insure we dont even have that db on our servers. Please dont misunderstand. I dont expect Presta to make a cart just for my company and our whims. I dont expect that at all. All I want is what Presta already offers, and that is the SIM module and I only need it for testing because we will buy the more comprehensive SIM module soon after which offers more functionality. If Presta does not have the module, then there are no hard feeling at all. In fact, I think Presta is a very good cart solution and I would recommend it to others without hesitation but the fact is, I cannot use it without testing. Now if I am mistaken about the AIM module security then my apology. I am open to suggestions. Link to comment Share on other sites More sharing options...
Dh42 Posted May 29, 2013 Share Posted May 29, 2013 Honestly, knowing about your security practices I would refuse to do business with your company. CC information is not the only information that should be stored securely. Anytime you harvest information from a client, it should be stored securely. I can think of a lot of situations where I would care less about my credit card information and more about not wanting people to know I do business with a company. The simple fact of the matter is if you take payments on your sever and you lose control of the server, you lose control of the payments. You are correct in thinking that the aim method does not store the data on the server except for a temporary variable. Which, yes, if you lose control of the server you have lost control of that variable. But using a sim, once you have lost control of the sever, you are in pretty much the same situation. I know your key that you are sending to auth.net to call the sim form, so I can create a pass thru form to scrape the data. Then I will have everything as well. so you are in the same position. Re-reading your post, I just saw the bit about the guest checkout and information not being saved. The only difference between a guest checkout and a regular checkout is the password. Everything else is saved, email addresses, phone numbers, addresses, names, passwords. If I wanted to one up you on this, think about this. Say I took control of your server and did not mess with the payment gateway at all. I just removed the salt on your password field and made all of your accounts store passwords in plain text. Or if you are using guest checkout, I just added a password field to your form, blocked your ip from seeing it (which having control of the server I can see all of the ip's that have accessed the ftp of the site) then sent email addresses and plain text password pairs my way. Most people only use a few passwords, I imagine I can get some banking information or paypal information by doing that. The liability would be on you still. Don't go lax on your security, it is bad practice as a developer and you give other developers bad names. Also you give the platform a bad name. As for the aim module, I can vouch that it is pretty bullet proof, as far as I know I am the last person to discover a security bug in it. Link to comment Share on other sites More sharing options...
marc5477 Posted May 29, 2013 Author Share Posted May 29, 2013 Good reply but it would be moot. As I mentioned, we will remove all data storage functionality even if it currently exists, in guest processing. In fact, there won't even be an option to choose. There are no passwords. No usernames. No data stored at all. All customer SQL will be removed and replaced with a simple email to our processing center. All we need to do is log into the merchant end of day to cross check orders in case something slipped. Its not bullet proof, and as you state, you can still intercept, but what is the point? Its a lot of work to get very little useful information from a hacker's perspective. I appreciate your opinion about security and in general I agree but I have my own way of doing things. I was a Sr admin for more than a decade and a network admin for 5 or 6 years before that. I am now the manager of the IT dept. My experience after seeing all sorts of security issues is that the best security is to take away all motivation. This is not always possible depending on your business but the big mistake many businesses make is trying to grip too tightly to the point that it creates more security problems than it solves and frankly, 100% security is impossible as long as there are people involved. In fact, 9 out of 10 breaches are from insiders (regardless of intent). The more people you have touching the systems, the larger your risk. This I believe has become a well known fact. The best security is to eliminate the need for large exhaustive IT department. Again, not always achievable but it is where I work. As for people knowing where you shop, it is not an issue with us. At best, a purp will know that you like mozzarella and round cut beef. ----------------------- As for not wanting to do business with me, well perhaps you should look at your bottom line before you make that choice. Without sounding like an old fart (because I honestly don't believe that one solution fits all) here is what ive learned over the years. #1 keep it simple (in IT terms, decrease complexity and especially redundancy... except for data backup of course). #2 your biggest security risk are the people working around you (hackers are a very very long 2nd). #3 the best security is to have nothing that anyone wants. Using my methods the last 6 years, we have completely eliminated the problem with workers introducing security problems (since they no longer have any sort of access) and the need to keep tabs on them. In 6 years, our systems have been compromised exactly twice and both time, the hacker snooped around, found nothing, and only left a few silly scripts. One guy left a bot but it was easily dispatched and all it did was act as a relay and didnt hurt our company or customers in any way. That was the most severe problem we have had since I came on board. Before that, we had a standard structure with data polling and analytics and a bunch of marketing BS that never produced a single positive financial outcome beyond what was already being made. We had potential security problem everywhere. Now, we have almost none. I gutted the entire system. Kicked all the silly internet/email marketers out on their rear, and guess what? Sales didnt change even one iota. I removed all marketing data from servers, eliminated data polling since it was redundant for our uses, reduced our IT staff by 80% (yes it was painful), eliminated all those contracts with Oracle, Cisco, and MS which were costing upward of $300k a year since they were no longer needed, and all those managers that were needed to keep track of all that extra fat were also fired along with their marketing teams since they no longer had anything to do. Net result, IT dept salaries went from $2.6m to about $500k per anum. Capital spending went from around $500k to about $50k per anum. And I have no idea how much money they are saving from firing all those extra manager and marketers but Id venture to say it is at least around a $1m/anum. We have had no real threats of any kind since I came on board and my bosses are very happy and my salary reflects that happiness. I can focus on ways to improve the business rather than waste my entire time micromanaging things that dont produce real results. Moral of the story? There are many methods to security. Mine is an alternative that has been proven to work, and work very well. You may not want me, but my $400k salary says something else. ------------------- I want to thank you for your time. You guys at Presta have done some great work and I appreciate the help you have provided. 1 Link to comment Share on other sites More sharing options...
Recommended Posts