Security Concern

[somecows]

hello,

i run a web hosting company and have never before used any type of software to manage billing, clients, etc. right now, all i do is collect credit card information from my clients and enter that directly into the control panel of my gateway - cybersource. i can set it up so that cybersource bills clients automatically on a monthly basis or whatever. the point is, i dont have to deal with storing credit card numbers on my server - everything is stored on cybersource servers. i am considering buying whmcs but am nervous about having credit card info stored on my server. i am concerned that if someone were to gain access to the server and get the credit card info, i would be liable. anyhow, i was just wondering if this is something others have worried about and what kind of set up you suggest to keep things as secure as possible. as it stands right now, whmcs would be installed on a shared server that hosts various other websites and thus, is accessible by people besides myself. i dont mean that other people have access to my account, but there is activity on the server that i dont have control over. is this ok or do you recommend that it be installed on a dedicated server so fewer people have access or what? i realize the chances of anyone infiltrating the server might be small, but i am trying to take every precaution necessary. would like to know if im worrying needlessly. thanks!

[bear]

i am considering buying whmcs but am nervous about having credit card info stored on my server. i am concerned that if someone were to gain access to the server and get the credit card info, i would be liable.

You definitely would be liable. If, as you say, you set them up at that gateway and they store the number, the solution is to either set it up and then remove that CC number from WHMCS (which are stored encrypted), or see about obtaining a plugin to use that gateway directly, if they offer that. This way the card could be directly submitted, and one less step and worry for you.

 

is this ok or do you recommend that it be installed on a dedicated server so fewer people have access

A shared environment is asking to be compromised, regardless of billing system in use. You should be on a VPS at least, so your site and files are segregated from other users. I'm using a cheap VPS for this and my support desk, which gives me that isolation as well as a way for customers to reach me if their server is down. Highly recommended.

[dkent]

You don't even need to store card details on your server or WHMCS, you can choose to disable the credit card form therefore your clients will not be able to store any sensitive information whatsoever.

 

WHMCS supports most payment gateways that I can think of, but if the one you currently use is not listed, you are able to get it supported. I'm sure Matt can sort you out with a solution. But again, you don't have to store information such as credit card details within WHMCS if you don't want to.

 

You won't be disappointed in WHMCS, it's a fantastic piece of software.

Edited January 17, 2009 by dkent

[somecows]

thanks for your responses so far. if i can store cc info at my gateway rather than on my server, that would be a great solution. as i said in my original post, thats how i do it now. i receive cc info from clients and then manually create a "recurring subscription" at my gateway, and then the gateway bills clients once a month. i assumed that the way to achieve this with whmcs was to store the cc info within whmcs and then command whmcs to run it through my gateway on a monthly basis. are you saying its possible to use whmcs to set up a recurring subscription at the gateway so that, like now, its the gateway doing the monthly processing and storing the cc info, not whmcs? if so, what happens if a client needs to update cc info or billing info - could whmcs interface with the gateway to make this update, even if the cc info is not stored on my server? im willing to use whatever gateway is necessary to achieve this - i dont have to stay with my current gateway (cybersource). anyhow sorry for my ignorance, its hard to figure out how the program works without setting it up and using it! just trying to get a grasp on how it works.

[AndrewMKP]

If you can't see the option for your payment gateway the best thing to do is contact the kind WHMCS team direct to see what is available, just reference this thread and I am sure they can advise you in regards to your gateway

[chickendippers]

We use Worldpay which acts in the way you want. It absolves us of certain liabilities and having to trawl through the 50+ page PCI compliance document which is full of jargon and acronyms.

 

If a customer wants to update their CC details they login to a customer control panel at WorldPay.

[snake]

hey chickendippers, is automatic recurring billing still supported using that method?

Also out of interest, what transaction rates did you get from Worldpay?

[chickendippers]

WorldPay supports recurring payments through their FuturePay system. It's a tad complicated to setup with WHMCS, but works fine, I've put quite a lot of info in the wiki.

 

I can't remember what our transaction rate is (not my dept.) but since the company incorporated they want to impose a £2500 reserve & force customers to re-enter their cc details, so we are seriously looking at Chronopay at the moment.