How to communicate Credit Card details to customers when instantly approved in PCI-DSS compliant way?

Would displaying the full Credit Card details (PAN, Expiry date and CVV/CVC) in Online Banking and / Mobile Banking be considered both PCI-DSS and secure? Or what would be Best practice to display the details for the instantly granted (approved) Credit card so that customer can start using it for eCommerce?

Magento2.3.1 credit card using as set sandbox after place order but checkout page getting error

I am using Magento2.3.1 and i have to use payment method credit card and right now i set payment method as sandbox mode after place order all fillup information correctly but getting issue on checkout page

An error occurred during processing. Please try again. 

Is this an adequate outline for a basic filter to prevent testing of stolen credit card numbers on my credit card charge script?

I have a web store with Stripe integration that has been used by one or more individuals to test stolen credit card numbers. Their method of testing the cards is to direct a large number of charge attempts at my credit card charge script both in a short period of time and over many days.

I can do some PHP scripting but am not a full-time or formally-trained developer and so want to stop the fraudulent use of my Stripe account in a manner that keeps things as technically simple as possible for me.

My plan is to develop an IP-based filter for my credit card charge script. Below is my general concept for the filter.

  1. Create a MYSQL database with fields for IP, date of this IP’s last charge attempt, number of charges by this IP today, all-time total number of charges by this IP and blocked user.

  2. When someone makes a charge attempt, before sending it to Stripe, check whether their IP is already in our database of IPs that have made a charge attempt in the past.

    A. If the IP is not in our database, add it to the database and allow the charge attempt to be sent to Stripe.

    B. If the IP is in our database, check to see if the blocked user field is set to “yes”. If so, do not allow the charge attempt and present an error message to the user.

    C. Check to see if the date of this IP’s last charge attempt is today.

    i. If the IP’s date of last charge attempt is not today, store today’s date in the date of this IP’s last charge attempt database field, set the number of charges today to 1, and allow the charge attempt to be sent to Stripe.

    ii. If the date of last charge attempt by this IP is today, increment the number of charges by this IP today database field. If the number of charges hits a predetermined limit, do not allow the charge attempt and present an error message to the user. If the number of charges by this IP today is below the predetermined limit, do not block the charge attempt.

    iii. increment the all-time total number of charges by this IP field. If the number of charges hits a predetermined limit, do not allow the charge, present an error message to the user, and set the blocked user field to “yes” for this IP. If the all-time total number of charges by this IP is below the predetermined limit, allow the charge attempt.

The above filter concept assumes individuals testing stolen credit card numbers will not be able to frequently change their IP to circumvent this primitive rate limiter. Is this a safe assumption? Are there any other potential problems with the above approach or better ways to do this?

Can a criminal fake the use of a PIN in a chip and pin credit card transaction?

Within minutes of my credit card being stolen by pickpockets, two large transactions were made by the thieves, apparently in a bar or cafe. My bank tells me that they were chip and pin transactions. I am sure to a high degree of certainty that my pin was not compromised:

  1. It was not written down
  2. It was not used for other purposes
  3. The card in question had not been used in months, and even then, in a different country (effectively ruling out shoulder-surfing)

Still, my bank insists that my pin was used, although there is no reasonable way the thieves could have come to know it. The bank’s people obviously place a high degree of trust in this technology.

Are there known exploits that could allow a chip and pin transaction to appear to have been made using the pin, without the criminals actually having it?

Magento 1 programmatically creating a credit memo has incorrect behavior

The question of how to create a credit memo in Magento 1 has been asked several times and answered in a few different ways.

With each one, I’m yielded slightly different results but ultimately each has the same result:

A credit memo for $ 0 with no items listed in the “Items Refunded” section, or the full quantity of items ordered being refunded, and the quantities are ignored.

In this case, $ rma is a single RMA object from getCollection(), and the result of the below code is that all items are refunded even though the qty_authorized is 1.

$  order = $  rma->getOrder(); $  service = Mage::getModel('sales/service_order', $  order); $  rmaItems = $  rma->getItemsForDisplay();  $  data = array(     'items' => array() );   foreach($  rmaItems as $  rmaItem){     $  data["items"][strval($  rmaItem->getId())] = ['qty'=>$  rmaItem->getData('qty_authorized')]; }  $  data['shipping_amount'] = 0;  $  creditMemo = $  service->prepareCreditmemo($  data)->register(); Mage::getModel('core/resource_transaction')->addObject($  creditMemo)->addObject($  order)->save();  $  rma->close(); 

The above example is passing in items, and yields the following structure for the data variable:

array(2) {   ["items"]=>   array(1) {     [2300]=>     array(1) {       ["qty"]=>       string(6) "1.0000"     }   }   ["shipping_amount"]=>   int(0) } 

Switching the variable from items to qtys as in most answers yields the same structure but instead gives the result where no items are returned.

This is all very much beta code, and there’s bound to be errors in other parts of it as so far I’m working on just getting a proper credit memo in, so any comments on any part of it are much appreciated.

When credit card tokens are leaked / stolen, what can the attacker do with them?

I’m implementing an online payment system relying on an external payment processor handling all credit card entry. We only see and store card tokens (not the actual card numbers), which we then use to charge another month’s worth of subscription.

If an attacker got his hands on our DB of tokens, what could he do with them? Worst case scenarios welcome.

(Note – this has been answered as part of Storing credit card token, but the question was closed. I think it’s important enough to deserve a question of its own.)