How secure is credit card info in eWay plugin

-- HikaShop version -- : 2.5.0
-- Joomla version -- : 2.5.28
-- PHP version -- : 5.4.44
-- Browser(s) name and version -- : Chrome 44.0.2403.155 m

We are using the eWay plugin for event bookings. I have attached an image of our checkout page which seeks credit card info as part of this payment method. It is not an SSL page as we understand that the information is not actually received or stored on our server but is received directly at the eWay server.

We'd like to confirm this and also to know the best way to describe the security of this process to our customers - some of whom are suspicious to apparently providing credit card info on a form on a non SSL page.

Mmm... so obvious question, which one are we using? I selected the only eWay payment plugin showing in the payment plugin list titled "HikaShop eWAY payment plugin" thinking it was the Rapide version you described. I don't see any other eWay plugin in the list. We have the Business version.

Thanks. I just install it using Joomla Extension Mgr? And its compatible with both J2.5.28 and J3.4?

Hi Jerome/Nicholas,

I tried installing it on our J2.5.28 site using the normal Extension Manager and received an error message as per the attached image.

Just had a chat session with eWay customer support (attached).

Thanks Jerome.

I extracted the zip file locally, removed the language line and then rezipped it. I installed this new eWay.zip file on the J2.5.28 site and received a slightly different error message, about not finding the eWayrapid.php file in the tmp directory (see attached).

Thanks Jerome.

Install on J3 Dev site. Install went fine, without error messages. However when I go to configure the plugin I see some warning/error messages - I have uploaded a screen shot with these highlighted.

Install on J2.5.28 Live site. I edited your ewayrapid_j15.xml file to change the coded version number from 1.5 to 2.5 and then renamed this file ewayrapid.xml, rezipped the collection using PeaZip, and this installed without error messages. The plugin configuration screen opened without any warnings/error messages etc.

In both versionss I note that the plugin configuration asks for username and password whereas the standard eWay plugin provided by Hikashop asks for eWay customer id. I live chatted with eWay customer service and they advised this was for an API key and password which i have since established and used. However testing this on the J2.5.28 live site returned a blank page when selecting this payment method at Hikashop checkout. The URL bar shows www.sag.org.au/hikashop-menu-for-categor...out/step/step-2.html but no content displays and viewing the page source returns nothing. (In case it is relevant I restricted access to this payment method to a user group so that I could hide it from our normal customers.)

Can you help me get over these two current hurdles?

I also spoke to eWay about whether they would offer and maintain an eWay Rapid payment plugin for Hikashop and my chat partner said he would pass on the request to their dev team but said it would depend on the number of Hikashop users who were interested in eWay (which I could not provide). Hopefully they will contact you about this, or alternately you might want to contact them.

From my client's viewpoint we want a reliable eWay payment method that captures credit card info on the eWay server rather than our site and I think we were given to understand that Hikashop Business offered this before we committed to it. If eWay do not take up the project, could you provide and maintain the Rapid plugin including in a J3 compatible form?

Thank you, Nicolas. We appreciate your stepping in.

This is the error reported on the J2.5.28 live site with maximum reporting, after installing your new ewayrapid plugin and selecting it as payment method in the Hikashop checkout:
"Fatal error: Cannot redeclare class EwayPayment in [...]/public_html/plugins/hikashoppayment/ewayrapid/eWAY/RapidAPI.php on line 496"

Also uninstalled old and installed new plugin on J3.4 dev site (without problems) and received the same error with a test transaction:
"Fatal error: Cannot redeclare class EwayPayment in [...]/public_html/j3/plugins/hikashoppayment/ewayrapid/eWAY/RapidAPI.php on line 496"

Note on J3.4 site still receiving some error warnings on plugin configuration screen:
"Strict Standards: Only variables should be assigned by reference in [...]/public_html/j3/plugins/hikashoppayment/ewayrapid/ewayrapid.php on line 441

Strict Standards: Only variables should be assigned by reference in [...]/public_html/j3/plugins/hikashoppayment/ewayrapid/ewayrapid.php on line 448"

Sorry for the delayed response. Other parts of life intruded.

I unpublished the eWay plugin on the dev j3.4 site, cleared the site cache and tested a transaction. The eWay payment option did not appear but choosing the eWay rapid payment option and clicking next still produces:

"Fatal error: Cannot redeclare class EwayPayment in /home/sagorg/public_html/j3/plugins/hikashoppayment/ewayrapid/eWAY/RapidAPI.php on line 496 "

Do I need to uninstall the eWay plugin rather than just unpublish it? Or is it some other problem?

I can send you login credentials to the dev site if this helps.

Hi,

Unpublishing the plugin should have solved your issue, but you can still try to uninstall it.

I checked in the code and this class is indeed declared only in two places, the eway plugin and the ewayrapid one.
So disabling or uninstalling one of the plugins must solve that issue.

Well I uninstalled the eWay plugin on our Dev J3.4 site, cleared the cache and reran an eway rapid test transaction and certainly proceeded further than before - I have attached three images showing the error page that was returned.

Can I send you login credentials to this Dev site so you can investigate further? If so how do I do this securely?

David

Hi,

You can send the login credentials via our contact form, so a backend and a ftp access are required.
Please give the url of that topic in the message.
www.hikashop.com/support/contact-us.html

Done and thanks for looking at this.

When looking at this, remember we have both Hikashop and Virtuemart on this site. Virtuemart is used for physical shop stuff and Hikashop is used solely for event bookings (with JEvents).

David