Support

July 24, 2017 at 2:11 pm

Hi Simone,

That’s actually not PCI-compliant so we advise not sending the credit card info or storing it on the server. A payment method like PayPal Express will securely handle the payment/credit card information.

July 25, 2017 at 4:42 am

Firstly, I’ll be blunt and state that I feel you are playing with fire.

Sending card details in any form is insecure, sending them via email is just asking for trouble. PCI compliance is not just about storing card details its handling that data, how you get the data and what else you do with it so yes the above still falls under PCI compliance (and it fails to be compliant). By trying to work around the ‘normal’ options your just asking for a fine in my honest opinion.

I’ll answer your questions but note take note of the above and understand that you yourself will be liable when this goes wrong.

Following the guide (Q14) is possible.

What is this?

There is an addon that at the end of the registration event process can do this?
1. shows an offline payment method, like offline or other else, and an saves an order in EE4
2. shows a page with a form with user can write down payment info
3. send an email with this info without save credit card info

The bank or flexible payment method can do this, the flexible payment method allows you to set a message that will be displayed when they select it, then they click to finalize.

Otherwise, we need an addon that allows us to save registrations in the backend, but I’m not sure there is an addon able to do this.

You can already add registration in the admin:

Event Espresso -> {hover over event} -> Registrations -> Add new registration

However, you can not process card details through the admin.

July 25, 2017 at 9:10 am

What Q14 from that link is referring to is tokenization, in which a 3rd party stores the card details on their server and you request a ‘token’ which can be used to reference the details on the 3rd party server and create a ‘charge’.

An example of a 3rd party that uses this is Stripe.

That’s very different from you sending/storing the details on your own server.

Thanks for your support, I know the troubles in treating card data and the PCI compliance standard.

PCI DSS was introduced for a very valid reason, to protect card holder/related details from falling into the wrong hands. If you can think of a simple solution that you think may work around that then PCI DSS wouldn’t have been needed in the first place, so that solution is likely invalid (or requires PCI certification anyway).

I’m looking for a working and safe solution or I leave it.

The easiest, safest solution is to use one of the 3rd party providers to do most of this for you, again an example of this is Stripe. Then use one of our payment methods that utilise the above setup:

https://eventespresso.com/product/eea-stripe-gateway/