This is totally up to the business running OFBiz. Obviously different businesses have different policies.
It wouldn't be too hard to change the ecommerce and order processing stuff to either not save CC info to the database at all, or to just remove the information after the initial authorization is complete.
I don't think you can do a re-auth without the CC info, that is usually considered a separate transaction anyway. Of course, if you ship things quickly and either rarely or never take backorders, then it shouldn't be needed.
All by company policy... there are endless combinations of these options and some are available through configuration options and some require small code changes, or add-in code or whatever.
OFBiz doesn't enforce or require any policy, but default settings are basically meant to represent the most common requirements we see, aka "best practices".
-David On Oct 31, 2007, at 2:03 AM, Philip Laing wrote:
Yes I have to agree Philip ... This is not only a very high risk because it encourages hackers to break in to obtain this valuable information and inmy opinion it is only asking for trouble. Looking at the business process of re-authorizing the card in case of refunding the customer. I am confident there is a way of covering're-authorise the card' rather than storing credit card details. Or at least giving the shop owner a way of stopping storing credit card details as Iknow I and many other will not use this feature because of the obvious dangers involved. Thanks Phil-----Original Message----- From: Jacques Le Roux [mailto:[EMAIL PROTECTED] Sent: Monday, 22 October 2007 5:58 PM To: user@ofbiz.apache.org Subject: Re: Ofbiz and saved credit card info De : "Phillip Rhodes" <[EMAIL PROTECTED]>Hi everyone,It appears that ofbiz is saving credit card information. While there issometimes a business need to do this, very often, thereis not. For example, with cybersource and verisign, all you need to storeis the authorization code. With the authorization code,you can perform settlements, and returns. Of course, there could be anback-office process that runs credit cards, so it would be necessary in that case.I am bringing this issue up because holding this information is a risk.It would be nice if ofbiz could provide a means by whichorganizations would be able to opt out of having credit card informationstored for their customers.This is an interesting idea, but you should also consider that if for anyreasons you need to re-authorise the card you will not beable to (there are some cases you will need to do that : amount change -not able to deliver all -, etc.)YMMV suiving your payments provider (though I guess an auth is not a re-auth everywhere in the world) Jacques
smime.p7s
Description: S/MIME cryptographic signature