Authorize.net?

[Nathron]

How does WHMCS communicate with Authorize.net is any of the clients credit card information stored in whmcs? If so where and how is it stored.

 

How I think I'd do it:

Would storing the information separately in a different database accessible only to WHMCS via use of an encrypted psk ensure that that information stays relatively secure? Something like the following have mysql on a remote system allow access to that database only from a local connection by a shell script this shell script is executed by SSH hosted on a non standard port with a user who has only permissions on the db and nothing else. And is verified by a strong ssh access key. The key is stored outside webroot and obfuscated pulled into the caller php script that unobsfucates the key and calls a separate script that executes as another user jailed in its only folder the response of the remote script is openssh encrypted and then decrypted by jailed script and finally the information is returned to the php script?

 

Anybody see a problem with this method of storage other than the general execution time overhead which i'd imagine is probably substantial. The only parameter passed to the remote script is the client id to pull info for.

 

Trying to find a way to store this type of thing in a different geo-location with a maximum of 3 separate physical machines to work with. I would like to provide authorize.net but I don't want the weak point to be any information stored on a web accessible machine.

 

The reason primarily I asked was I was reading somewhere that theirs a public ally available way to pull credit-card information from whmcs in an external php file which is rather scary. I don't remember exactly how they said to do it but it was stored in the config file. If that's not the case anymore or if whmcs doesn't store anything in its own installation and passes just the clientid and possibly the index of the card it's looking for to authorize their shouldn't be a problem. Mostly just concerned about making sure everything is separated in such a way that it minimizes the chances of having a clients details stolen.

Edited February 22, 2013 by Nathron

[WHMCS Chris]

Hello,

 

Have you checked the documentation on this? - http://docs.whmcs.com/Authorize.net

 

The Authorize.net module uses token based storage, thus the card details are stored on Authorize.net's systems - not your WHMCS installation.

 

In regards to the cc_access_hash you made mentioned of, that is the access hash that's used to decrypt the credit card information - assuming you have a secure server, malicious users shouldn't be able to read configuration.php.

 

Regards,