Pretty serious flaw in how Quantum Gateway is handled

[twhiting9275]

So, after a number of years without using it, I decided to check out Quantum Gateway, and started using it pretty heavily. In fact, everything was migrated over flawlessly (or from what I could tell it was). There is a pretty serious flaw in the backend (admin side) however.

 

When editing clients, and viewing credit card information (or adding it, or changing it) from the backend, the information is stored locally, not passed to Quantum. There should be absolutely no value for the client's card in the system once the client has been migrated over. That can be cleared up by deleting the values stored individually, but that's a hassle.

 

Just saying, this should really be looked at. If you try to update client's information from WHMCS (card) and are using Quantum Gateway, this should never, ever be stored in the local database, like WHMCS does currently.

[bluemc]

I agree. I have just gotten my WHMCS and Quantum account and noticed that the backend client credit card information is stored within the servers rather than on Quantum.

 

I would like for the CC info to be passed through to Quantum and not stored within my database.

 

I have just noticed this after getting my account setup and believe this issue definitely needs to be resolved. It makes me think twice about using both Quantum and WHMCS as my billing software.

[bear]

I'm using the vault through QG. No cards are stored locally, and if I go to edit card details I'm met with:

 

Existing Card Details

Card Type:

Card Number: No existing card details on record

Expiry Date:

 

From the start, QG vs QGvault was a better option, I felt. No way do I want to store cards.

[Matt]

Just to clarify, using the "Quantum Gateway" module, card details are stored locally as that's just the regular Quantum module, but when using the Quantum Vault module they are not. We have a migration script for switching over to Quantum Vault as with most of the token modules, and when using that the full card number is automatically blanked in the database, but card type, last 4 digits and expiry date are maintained to allow a client to see exactly what card they have on file. This may give the impression of the card being local, but it's definitely not, and without that full card number, you have none of the risks of regular merchant gateways who store card details locally. The vault module works using an iframe so that even card input is handled off site on Quantum's pages, but this can only be done from the client side so certainly an admin should not use the CC Info window to input card details.

 

Matt

[twhiting9275]

From the start, QG vs QGvault was a better option, I felt. No way do I want to store cards.

Absolutely, a better option. However, back in the day it wasn't an option.

As far as your point of nothing being stored.. Try this:

Go into your admin panel

Find a client

Edit that client's credit card information

Instead of having it show up in 'vault' (yeah, that's what I meant, sorry), the info will be stored in the local database.

 

Just to clarify, using the "Quantum Gateway" module, card details are stored locally as that's just the regular Quantum module, but when using the Quantum Vault module they are not.

I meant one thing and said another. With these two products, I get them confused.

 

The vault module works using an iframe so that even card input is handled off site on Quantum's pages, but this can only be done from the client side so certainly an admin should not use the CC Info window to input card details.

Irregardless your opinion (and that's just what it is, an opinion), this is flawed, and there are MULTIPLE reasons this is incorrect here.

 

Firstly, the most obvious one, adding a client's card info. You can't just 'add' a clients card information to the vault and expect WHMCS to pick it up. Nope, it has to be added from INSIDE WHMCS. In many cases, yeah, it's simply done by the client, but in some cases, it has to be done by the admin. For example, if the client themselves never logs into the client area (ie: phone orders). If the client has problems logging into the client area (ie: spam, or for whatever reason). If the admin doesn't want the client being tossed off to another page. For whatever reason, this is a pretty critical reason to HAVE this done .

 

Secondly, limitation of liability. As a billing representative for at least one company, I have specifically told them that I, in no way, want access to their paypal, 2checkout, or merchant account. Why? There's no way they can say I did anything here. It's all logged, and backed up in WHMCS. Now, they're not using vault (yet), but if they were to do so, I would then have to login to vault to change information around.

 

Thirdly, well, I'll let the first paragraph of your website state that:

“WHMCS is an all-in-one client management, billing & support solution for online businesses. "

When you force clients to go to another site to manage details such as credit card information (something that is used every day, mind you), you lose the right to call yourself an 'all-in-one client management, billing & support solution', because, well, it's not all in one any more. It's all in two, all in three, etc.

Edited August 23, 2012 by twhiting9275
changed wording