Is there any legal risk when processing payment via Manual Cash Processing Module?

[Lou1234]

Hi,

My friend, also my working partner asked me to find a module which can help him process the payment of his customer's order at the POS. I made a tour around the Addons Marketplace and found this module: https://addons.prestashop.com/en/point-of-sale-pos/6270-manual-credit-card-processing-offline-payment.html#overview

However, when I studied its process, I found it confusing, as there was a note like this in the module description:

"To make this process secure, only the first digits are saved to the database while the last digits and the security code are sent to a specific email address so that the complete credit card number is never stored on a single computer. Anyway, you can also configure to save all digits in database."

It means that when the customer pay for an order, he/she needs to provide all the card's information (Card numbers, expired date, CVV) so that the shop owner can use them to process the payment on the hardware terminal gateway. Nevertheless, it also means that the shop will have the ability to store all the card information in the database and can possibly make illegal purchase from the customers' cards. How can this module prevent this risk? As I see no countermeasure for this except for PCI compliance which prevents bad guys who hack the store and steal the card information. But what will happen if the bad guy is the store owner or the salesperson of the store?

[idnovate.com]

If the bad guy is the store owner, then you have the same risk as if you go with your physical card to a store and he duplicates it or if you make a purchase with card by phone.

[Lou1234]

@idnovate.com NO, you are wrong in this case.

If I process payment directly in the store. The store owner or salesperson who process the payment for me can only take my card to swipe on the card reader (and ask me for PIN - in case my card is not a VISA or Mastercard, and I can type it myself without leaving it exposed to other people). And remember, all steps in the payment process are fast and observed by ME, so the the shop owner or salesperson will not be able to even remember anything on my card.

If I process payment on a payment gateway via phone or website and I type into the field my card information, the information is normally processed through the bank. And the bank/financial organization will be the one who verifies the transaction and issue the money to the product/service owner. The web owner is not allowed to store or record any of those information as those are stated as illegal acts.

In your case, the shop owner can store all the card information of the buyers. The shop owner has enough time to read, to remember the card information as if it was his/her own card.

The most important thing in every financial/payment software is 'SECURITY', not 'Living together with the risks'. I think you - as the developer of this module - did not seriously consider my concern (or you don't have enough data for that), which disappointed me a lot.

[idnovate.com]

What I pretended to say is that if the shop owner want to steal the information, he has other ways to do it even in physical or phone payment.

I understand what you meant and I can not rebate you that there are other methods more secure than this, where the card information is introduced directly in the bank payment form. But this module can help people who can not access these payment methods.

Anyway each one is responsible to install the payment methods who consider better for his store 👍