Page 1 of 2 12 LastLast
Results 1 to 40 of 66
  1. #1
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,041

    ClientExec - Your Thoughts?

    Greetings,

    I would like people's opinions and feedback on ClientExec. I guess it will also help others who are looking to replace WHMCS due to the high number of exploits going around.

  2. #2
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Getting thoughts on CE at this point is , well, pointless, since they're releasing 5.0 in a bit. Hell, I might even consider giving 5.0 a go, if they've got their massively troubling issues resolved!
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  3. #3
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,041
    Quote Originally Posted by twhiting9275 View Post
    Getting thoughts on CE at this point is , well, pointless, since they're releasing 5.0 in a bit. Hell, I might even consider giving 5.0 a go, if they've got their massively troubling issues resolved!
    For anyone wishing to move from WHMCS who would you recommend?

  4. #4
    Join Date
    Jun 2006
    Location
    Calgary, Alberta
    Posts
    688
    Quote Originally Posted by twhiting9275 View Post
    Hell, I might even consider giving 5.0 a go, if they've got their massively troubling issues resolved!
    Care to share these "massively troubling issues" that need to be resolved?

  5. Same boat here, blesta looks nice, but I need Enom integration and its due next release (3.1)
    Last edited by [email protected]; 10-21-2013 at 07:36 PM.
    Hostabulous | cPanel (Linux) & Plesk (Windows) Hosting KVM VPS R1Soft backups | Proudly Canadian
    Cloudflare LiteSpeed Cloudlinux Remote backups Anti-Spam Web App Firewall Canada/US/Germany

  6. #6
    Join Date
    Apr 2012
    Location
    Toronto, Canada
    Posts
    500
    Quote Originally Posted by [email protected] View Post
    Same boat here, blesta looks nice, but I need Enom integration and its due next release (3.1)
    Blesta has the right idea but they really missed a true opportunity to launch with far more modules off the bat. I think it was a mistake launching v3 without many of the most popular things including import scripts.

    You won't get a flock without them being able to import easily. You need to make life easier for people to want to switch.

    Like i said, Blesta has the right idea, open source, appears secure but they have lots to do and they may do it too late.

  7. #7
    Join Date
    Mar 2003
    Location
    WebHostingTalk
    Posts
    16,967
    We've been using ClientExec since 2003 and never had any problem. It is not the same with WHMCS when it comes to features but it has everything we need.

    I believe, 5.0 is a boost upgrade from the current version and this is what we are waiting for :-)
    Specially 4 You
    .
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  8. We will for sure give a it a try once 3.1 is released, might be not too late since the kind is dying with all those exploits lately and no plan to rewrite the core..
    Hostabulous | cPanel (Linux) & Plesk (Windows) Hosting KVM VPS R1Soft backups | Proudly Canadian
    Cloudflare LiteSpeed Cloudlinux Remote backups Anti-Spam Web App Firewall Canada/US/Germany

  9. #9
    Join Date
    Apr 2012
    Location
    Toronto, Canada
    Posts
    500
    Quote Originally Posted by net View Post
    We've been using ClientExec since 2003 and never had any problem. It is not the same with WHMCS when it comes to features but it has everything we need.

    I believe, 5.0 is a boost upgrade from the current version and this is what we are waiting for :-)
    Good to hear. Have my eyes very much on CE5 release. I've always stood up for CE even though it received flack for some reason by many. Hoping for the best

  10. #10
    I'm going to wait until ClientExec 5.0 is released--we had too many 'niggles' with the current version that we moved over to WHMCS, which we had without problems until recently. I would take a look at the demo on their site and determine if it has the right amount of features for you.

  11. #11
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Quote Originally Posted by benj114 View Post
    Care to share these "massively troubling issues" that need to be resolved?
    1. NO automatic card charging (except for Quantum)
    2. Quantum (the only platform that does charge in advance) charging on invoice date instead of actual due date
    3. MONTHS to get support to actually fix problems
    4. Registrar modules with ZERO bulk actions
    5. Registrar modules just not working half the time


    I went through this for about 6 months last year, wanting it to work, hoping it would, kept getting reply after reply like
    Oops, I forgot that
    I wanted it to work, really, but, when I kept getting the same old same old from staff, it just doesn't work.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  12. #12
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by twhiting9275 View Post
    NO automatic card charging (except for Quantum)
    Woof ... really? That's kind of a major deal.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

  13. #13
    Join Date
    Oct 2004
    Location
    Oneida, NY
    Posts
    2,842
    Quote Originally Posted by FRH Lisa View Post
    Woof ... really? That's kind of a major deal.
    There is automatic credit card charging, you just have to run a batch every day and manually enter a passphrase. I'm pretty sure it is just something to do with security--they use a 2-layer encryption mechanism with the 2nd layer being a passphrase that's not stored on the server.
    Nick Hudson - Prevail Host LLC - http://www.prevail.host/
    Premium Quality cPanel Hosting Services - CloudLinux, LiteSpeed & SSD
    WHMControl - Secure Your Server Logins & Automate Password Changes

  14. #14
    Join Date
    Jul 2008
    Location
    Seminole, OK
    Posts
    1,575
    Quote Originally Posted by twhiting9275 View Post
    1. NO automatic card charging (except for Quantum)
    2. Quantum (the only platform that does charge in advance) charging on invoice date instead of actual due date
    3. MONTHS to get support to actually fix problems
    4. Registrar modules with ZERO bulk actions
    5. Registrar modules just not working half the time


    I went through this for about 6 months last year, wanting it to work, hoping it would, kept getting reply after reply like


    I wanted it to work, really, but, when I kept getting the same old same old from staff, it just doesn't work.
    Wow really? I never heard of such a thing from them. I guess I'll have to do some research and confirm.
    Inode Hosting - Reliable Web Hosting for the right price.
    Shared & Reseller hosting featuring the industry leading cpanel
    99.9% Uptime Guarantee ,30 Day Money Back Guarantee ,24/7 Support
    Established since 2011

  15. #15
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Quote Originally Posted by Nick H View Post
    There is automatic credit card charging, you just have to run a batch every day and manually enter a passphrase. I'm pretty sure it is just something to do with security--they use a 2-layer encryption mechanism with the 2nd layer being a passphrase that's not stored on the server.
    That's not automatic, that's the exact opposite of automatic charging. That's manually charging the card. Huge difference


    Quote Originally Posted by jcarney1987 View Post
    Wow really? I never heard of such a thing from them. I guess I'll have to do some research and confirm.
    To be fair to them, this was about 6 months ago, I'm assuming this was the period where they were focusing more on 5 than the earlier version. That doesn't discount my problems with CE though, they still stacked up like nobody's business unfortunately.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  16. #16
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by Nick H View Post
    There is automatic credit card charging, you just have to run a batch every day and manually enter a passphrase. I'm pretty sure it is just something to do with security--they use a 2-layer encryption mechanism with the 2nd layer being a passphrase that's not stored on the server.
    Ah, I see. That's not much better though. I take it this isn't required for off-site card storage (like Authorize.net or Stripe), is it?
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

  17. #17
    Join Date
    Sep 2005
    Location
    Sheffield, UK
    Posts
    782
    Quote Originally Posted by Nick H View Post
    There is automatic credit card charging, you just have to run a batch every day and manually enter a passphrase. I'm pretty sure it is just something to do with security--they use a 2-layer encryption mechanism with the 2nd layer being a passphrase that's not stored on the server.
    I doubt that passphrase is actually used to encrypt the data though, otherwise it'd be impossible to let a customer enter it, and encrypt it at the same time.

    You'll probably find they have a system key (usually hard coded and unique per-installation) that is used with an initialization vector to encrypt the data. Most systems do this, and its still very insecure, but there is little else you can do if you want to store cards, AND allow customers to add them into your system.

    Now, if they dont let customers enter the cards, then its not a problem...but that does kind of defeat the purpose of accepting cards in the first place. Your average hosting customer wont exactly want to call you to ask to have their card added.

    Personally I'd like to see an end to hosts storing cards themselves. It's just open for massive problems and theres no real reason not to use a secure, well tested 3rd party card storage and processing provider.

  18. #18
    Join Date
    Dec 2004
    Posts
    526
    Quote Originally Posted by Rick-WHSuite View Post
    I doubt that passphrase is actually used to encrypt the data though, otherwise it'd be impossible to let a customer enter it, and encrypt it at the same time.

    You'll probably find they have a system key (usually hard coded and unique per-installation) that is used with an initialization vector to encrypt the data. Most systems do this, and its still very insecure, but there is little else you can do if you want to store cards, AND allow customers to add them into your system.
    I don't know whether they use it, but it can actually be done quite securely using asymmetric encryption (e.g. RSA)

    Credit card data entered by user can be encrypted using the public key.
    When running the credit card batch they are decypted using the private key.
    Private key in turn is stored encrypted with password.

  19. #19
    Join Date
    Sep 2005
    Location
    Sheffield, UK
    Posts
    782
    Quote Originally Posted by Maxnet View Post
    I don't know whether they use it, but it can actually be done quite securely using asymmetric encryption (e.g. RSA)

    Credit card data entered by user can be encrypted using the public key.
    When running the credit card batch they are decypted using the private key.
    Private key in turn is stored encrypted with password.
    Ah yes, true. I was under the impression they were still using simple AES on its own though.

  20. #20
    Quote Originally Posted by Rick-WHSuite View Post
    I doubt that passphrase is actually used to encrypt the data though, otherwise it'd be impossible to let a customer enter it, and encrypt it at the same time.
    The passphrase is entered by administration not customer. Of course it is used to encrypt the data. Otherwise what would be the point.
    slack.clientexec.rocks - Come chat with us in our Slack room
    twitter.com/clientexec - Follow Us Today

  21. #21
    Join Date
    Sep 2005
    Location
    Sheffield, UK
    Posts
    782
    Quote Originally Posted by Alberto View Post
    The passphrase is entered by administration not customer. Of course it is used to encrypt the data. Otherwise what would be the point.
    I think you may have misunderstood. I was referring to the comment by NickH regarding the daily credit card run, and entering a passphrase.

    As I stated above I thought you were on AES, which obviously uses a single encrypt/decrypt key and an optional vector. If that was the case, said key would be stored somewhere in the system so that, for example a client can add a credit card without needing to enter the key. If you're on RSA however obviously its a non-issue as you'll have public/private key combos.

    If clients don't actually add their card numbers themselves, and you don't keep the decryption key stored somewhere on the server, then a single key is fine.

  22. #22
    Quote Originally Posted by Nick H View Post
    There is automatic credit card charging, you just have to run a batch every day and manually enter a passphrase. I'm pretty sure it is just something to do with security--they use a 2-layer encryption mechanism with the 2nd layer being a passphrase that's not stored on the server.
    That is correct Nick. The CC process hasn't changed in a while. This is how it has been for over 11 years. Initially a small percentage of our customer base complained, but over the months they realized how security is far more important than convenience of having something stored on the server via config file or db.

    <<snipped>>

    Tom, above, was correct though. We had a horribly written plugin for Quantum Vault that required passphrases on CCs not even stored on the server, which was silly. He also accurately guessed that it was during the phase where we were deep in migration to 5.0 and for that I personally apologize and have done so privately already.

    <<snipped>>
    Last edited by bear; 10-22-2013 at 09:12 AM.
    slack.clientexec.rocks - Come chat with us in our Slack room
    twitter.com/clientexec - Follow Us Today

  23. #23
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by Alberto View Post
    We had a horribly written plugin for Quantum Vault that required passphrases on CCs not even stored on the server, which was silly.
    Does this mean that you don't require the password when batching cc's for off-site storage as with Authorize.net or Stripe? What about alternative gateways such as PayPal or Google?
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

  24. #24
    @FRH Lisa

    Does this mean that you don't require the password when batching cc's for off-site storage
    That is correct with 5.0.

    What about alternative gateways such as PayPal or Google?
    Google checkout is going the way of the dodo I'm afraid but Paypal, 2checkout and the like would not require passphrases.
    slack.clientexec.rocks - Come chat with us in our Slack room
    twitter.com/clientexec - Follow Us Today

  25. #25
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by Alberto View Post
    Google checkout is going the way of the dodo I'm afraid but Paypal, 2checkout and the like would not require passphrases.
    I was referring to Google Wallet, which is sticking around. But that's good to hear.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

  26. #26
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    Quote Originally Posted by FRH Lisa View Post
    I was referring to Google Wallet, which is sticking around. But that's good to hear.
    Google Wallet isn't sticking around for service providers. They are gearing it towards their App store and physical goods only.
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  27. #27
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by VN-Ken View Post
    Google Wallet isn't sticking around for service providers. They are gearing it towards their App store and physical goods only.
    Oh really? That's news to me. We don't use them ourselves, thanks to their laughably bad service. Good riddance then.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

  28. #28
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    Quote Originally Posted by FRH Lisa View Post
    Oh really? That's news to me. We don't use them ourselves, thanks to their laughably bad service. Good riddance then.
    We used them - they have been OK up til recently. Payouts are now taking 4-5 days vs. the 2-3 days they used to be able to do.
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  29. #29
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by VN-Ken View Post
    We used them - they have been OK up til recently. Payouts are now taking 4-5 days vs. the 2-3 days they used to be able to do.
    Our big problem was that there was no way to reach out to them when problems arose. Everything was community support in a forum plus an email autoresponder system. Supposedly they have since improved, but we have no desire to use them.

    Bringing this back to CE5, I'll be happy if they support Stripe with offsite storage (and if not, then Quantum Vault) and PayPal. We're split about 50/50 right now, but the non-PayPal side is growing. The market is begging for innovation and stability now. This could be their time to shine.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

  30. #30
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    To be completely fair to CE, they actually modified the CDG plugin to be 'automatic'. AFAIK, that's the only one that is, though , again, it's been about a year since I toyed with their system.

    As mentioned, he did apologize, which says a lot about the company, and is probably the only reason I'd give 5.0 another shot (I think this is actually my 3rd shot with CE over the years ). Truth be told, as long as the domain issues are fixed (there were a ton of issues with stargate/resell), it'd bring me back in a heartbeat. Transferring domains, registering domains, etc, in bulk, it's a mess. Even modifying them, the process is just painstaking.

    Then of course, the all important WHMCS import, and being able to add my custom stuff (server monitoring, details, etc) to front and backend without terrible issues. Yeah, I know, good luck with that.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  31. #31
    Does CE 5 support "spreedly"?

    https://spreedly.com/

    Seems like a pretty solid way to handle credit card "storage" by essentially not storing credit cards.
    Want to sell domain names? Sign up today for an eNom.com reseller account from a trusted eNom ETP provider.
    * We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!

  32. #32
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Quote Originally Posted by mrzippy View Post
    Are you kidding?
    $150/month minimum just to store cards? Sorry, not going to be something your average host would utilize, especially when CDG and Authnet do the same thing, the first for nothing
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  33. #33
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by twhiting9275 View Post
    Are you kidding?
    $150/month minimum just to store cards? Sorry, not going to be something your average host would utilize, especially when CDG and Authnet do the same thing, the first for nothing
    Hah - nope! PayPal, Quantum, Authorize.net, and Stripe are all around 2.9% + $.30 (Quantum has a $10 monthly fee) -- and they all store credit cards securely off site.

    This sounds like a solution in search of a problem.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

  34. #34
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Quote Originally Posted by FRH Lisa View Post
    Hah - nope! PayPal, Quantum, Authorize.net, and Stripe are all around 2.9% + $.30 (Quantum has a $10 monthly fee) -- and they all store credit cards securely off site.

    This sounds like a solution in search of a problem.
    You're comparing 'card storage' with 'card processing'.

    Paypal charges nothing to store the card
    CDG charges nothing to store the card securely via Quantum if you're a customer.

    Both of these companies merely charge the usual fees (which spreedly does on TOP of $150/month)

    Authnet does, but I think it's a very reasonable fee (forget, and can't look it up right now).

    Spreedly? A minimum $150 just to store the card. THEN you have to pay your processor (CDG/Authnet/Paypal/Stripe) fees AND their processing fees. Talk about paying out way more in fees than are necessary
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  35. #35
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by twhiting9275 View Post
    You're comparing 'card storage' with 'card processing'.
    I know - that was my point.

    It's far cheaper (and frankly more sensible) to let your payment provider store the card data off-site for only processing fees than it is to pay $150 / month plus processing fees.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

  36. #36
    Join Date
    Sep 2005
    Location
    Sheffield, UK
    Posts
    782
    Quote Originally Posted by twhiting9275 View Post
    That's not automatic, that's the exact opposite of automatic charging. That's manually charging the card. Huge difference
    The thing is though - if you aren't using that method, you aren't storing card securely.

    At no point should it be possible to view your customers credit cards, without entering a passphrase that is not stored on the server (even in encrypted form). By not doing that, you may as well not bother securing cards at all as it'll be ridiculously trivial for someone to get access to them.

    Clientexec have it set up correctly. Sure, its a pain in the ass to have to manually enter a passphrase, but realistically thats a heck of a lot better than having to explain to your clients that you knowingly used an insecure method of storing their credit card details.

  37. #37
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Quote Originally Posted by Rick-WHSuite View Post
    The thing is though - if you aren't using that method, you aren't storing card securely.
    That is your opinion

    Quote Originally Posted by Rick-WHSuite View Post
    At no point should it be possible to view your customers credit cards
    Who said anything about viewing them? We're talking about decrypting card information and processing it. HUGE difference.

    One shouldn't have to manually charge cards, no matter what system you're using. If that's the case, you might as well just not store the card information at all. The POINT of a billing system is to automatically bill your clients and handle their payments, not to make more work for you. If they're doing the job 'correctly', then how is it that everyone ELSE is doing it incorrectly? Hmm? The fact is that CE is NOT doing this job correctly, and hasn't been since inception.

    This gets back to the old argument of
    Is everyone else wrong, or is it just me?
    When the world tells you you're doing things wrong, and everyone else does things a different way (the same way, even) amongst your peers, then, clearly it's not everyone else.

    Now, personally, this is a non-issue for me any more, as they have made QV charge automatically (hopefully, on time, not on invoice date!), but not everyone has that option. This kind of a system shouldn't ever require someone to login just to process a card. Modernbill didn't do it, WHMCS doesn't do it. NO OTHER billing app does this (that I'm aware of).
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  38. #38
    Join Date
    Sep 2005
    Location
    Sheffield, UK
    Posts
    782
    Quote Originally Posted by twhiting9275 View Post
    That is your opinion
    Maybe so. It's your opinion that my opinion is invalid though.

    Quote Originally Posted by twhiting9275 View Post
    Who said anything about viewing them? We're talking about decrypting card information and processing it. HUGE difference.
    It's essentially the same thing as far as a system is concerned.

    The difference is - if you store a credit card using a simple reversible encryption, if someone is able to get a copy of your code, and database - you're completely screwed. They will have copies of all those cards.

    Now take the passphrase method. Because the private key used to decrypt cards is encrypted itself, even if someone gains access to your server and database, they don't have those card numbers, as they cant decrypt them.

    Whilst I appreciate that its a pain in the ass - its about security. There are ways to still process cards without needing to enter the passphrase. One such way would to have a disconnected server, remotely communicate, essentially entering the passphrase each time it's run.

    Quote Originally Posted by twhiting9275 View Post
    The POINT of a billing system is to automatically bill your clients and handle their payments, not to make more work for you. If they're doing the job 'correctly', then how is it that everyone ELSE is doing it incorrectly?
    You're right. The point is to make things a heck of a lot easier, automating everything for you. Ideally you'll never, ever store credit cards, and instead have them stored by a 3rd party who has the correct, certified hardware, staff, and software. You'll then have your billing system use their API and make highly secure payments.

    Surely thats way better than hoping your own servers are secure enough, so you can focus on running your hosting business instead.

    Quote Originally Posted by twhiting9275 View Post
    When the world tells you you're doing things wrong, and everyone else does things a different way (the same way, even) amongst your peers, then, clearly it's not everyone else.
    Not 100% sure what you're getting at there, but lets take a hypothetical example. Until about 2 years ago a VERY popular billing system in the hosting industry didn't encrypt a thing. Tell me, since everyone used their product happily, did that mean they were doing it the right way?

    Quote Originally Posted by twhiting9275 View Post
    Now, personally, this is a non-issue for me any more, as they have made QV charge automatically (hopefully, on time, not on invoice date!), but not everyone has that option. This kind of a system shouldn't ever require someone to login just to process a card. Modernbill didn't do it, WHMCS doesn't do it. NO OTHER billing app does this (that I'm aware of).
    WHMCS was also hacked and someone gained access to all their credit card data not long ago - that should tell you how secure that method is/was.

    As far as I'm concerned if you want to store credit cards insecurely, go nuts and feel free to do just that - the option is there to do it. However the option is also there to to do it right (IMO of course), so that you're ensuring at no point can the wrong person view credit card data.

    At the end of the day its your business. Clientexec obviously don't want to be responsible for offering a credit card storage solution that they know can easily be reversed, so feel they have taken steps to ensure they store them in a secure way. Good on them is what I say.

  39. #39
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Quote Originally Posted by Rick-WHSuite View Post
    Ideally you'll never, ever store credit cards, and instead have them stored by a 3rd party who has the correct, certified hardware, staff, and software.
    of course, which is why I swapped out to Quantum as soon as it became a feasible alternative. Let THEM worry about PCI, I'm bulletproof as far as I'm concerned

    Quote Originally Posted by Rick-WHSuite View Post
    Not 100% sure what you're getting at there
    Of course you are, you just don't want to actually admit the point.
    everyone else for the past god knows how many years, even the old, decrepit modernbill does this the same, exact way. The fact is that CE is not following industry standards here, end of story.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  40. #40
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    Quote Originally Posted by twhiting9275 View Post
    Of course you are, you just don't want to actually admit the point.
    I understand what Rick is saying, and he has a valid point. If your server is capable of decrypting the card data on its own, then it's not secure. Period. Because in order to decrypt the card data, all you have to do is order the billing system to decrypt it. You don't even need the encryption key, you just need to convince the billing system that it's time to read out the card data.

    He is 100% correct in saying that this is not as secure as requiring a password during decryption.

    It's definitely not convenient, but that's why we have offsite storage with tokenized payments.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates

Page 1 of 2 12 LastLast

Similar Threads

  1. Nochex module for ClientExec v3.x or ClientExec v4.x
    By web-project in forum Software & Scripts Offers
    Replies: 0
    Last Post: 08-12-2012, 06:07 AM
  2. Nochex module for ClientExec v3.x or ClientExec v4.x
    By web-project in forum Software & Scripts Offers
    Replies: 0
    Last Post: 06-24-2012, 01:18 PM
  3. Nochex module for ClientExec v3.x or ClientExec v4.x
    By web-project in forum Software & Scripts Offers
    Replies: 0
    Last Post: 06-12-2012, 01:55 PM
  4. ClientExec vs. LPanel... thoughts?
    By cnm72 in forum Hosting Software and Control Panels
    Replies: 4
    Last Post: 01-23-2005, 10:33 PM
  5. ClientExec & PaySystems.com integration - user thoughts?
    By mrzippy in forum Hosting Software and Control Panels
    Replies: 3
    Last Post: 08-12-2003, 08:44 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •