It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
You can now store your card for later use.

When making any purchase with a credit or debit card, you can now select the option to save your card for later use.



If your payment is successful, that card will be remembered for later use. You'll be able to select it during your next checkout without retyping the info every time. Simple, straightforward, and probably very familiar.


We're taking advantage of tried and tested industry-standard solutions used across the world today. Among other things, this means your entered payment data isn't actually kept anywhere on GOG.com. Once your bank approves the purchase, your entered card number is replaced with a unique, encrypted token that can be used only by us to process your future payments, and which cannot be reverse engineered to resolve your card number and data. From time to time, we'll also ask you to verify your information based on a number of security factors, like if you haven't used that card in a long time.

While it's not required, we also strongly recommend enabling Two-Step Login before saving your payment details.

Keep in mind that you can easily remove your saved payment method through the My Account / Orders section. We'll also automatically invalidate all payment tokens for any account that hasn't been used in a long time.


We hope the feature turns out to be particularly useful soon, when you may just feel compelled to click really, really fast.
avatar
gamesfreak64: just a question: isnt steam using something like this?
avatar
JMich: No. Steam saves the full CC details, not use a token. Unless that has changed recently.
I accidentaly saved it the first time as it was selected by default.
Bought something else by accident and support wouldn't refund me. :l
Haven't used a creditcard for Steam since.
Sure seemed like full CC details were saved.
Post edited March 18, 2016 by omega64
avatar
HereForTheBeer: WHO stores the card info and issues the token? Is it an agreement with my issuing bank, or is it gOg's merchant account processor? The latter would make more sense as I imagine not all banks have the token system in place.
Actually it's normally neither, it's the credit card company.

For example :

https://usa.visa.com/partner-with-us/payment-technology/visa-token-service.html#4 (Disclaimer: I don't know if it's the system GoG is using but I suspect it's something similar)

avatar
HereForTheBeer: And, do you know of any other stores that use this? I mean, is it really widespread and we've just never heard about it because it generally works so seamlessly that there's no reason to raise a hoopla, or is it pretty new and not yet in widespread use?
Actually there are a few, several shop I buy from now offer the possibility (usually, direct credit card, paypal or "token"); must of the time it's using the "PayPal Billing Agreement" method.

As for shop using it... well you have Steam.
avatar
JMich: No. Steam saves the full CC details, not use a token. Unless that has changed recently.
Are you sure about that ? the last time I made a purchase on Steam (a couple of weeks ago) it offered me to create a "PayPal Billing Agreement" which is basically PayPal version of the Token thingy.

But maybe it depends of the billing region...
Post edited March 18, 2016 by Gersen
This seems to be the key statement in the news post which does mean that they DID keep to their promises:

" your entered payment data isn't actually kept anywhere on GOG.com. "
avatar
hedwards: They used to try hard, now they're phoning it home at best. I can't help but wonder if that has anything to do with why TET is no longer here. The people running the place have done a pretty good job of pissing people off and general obliviousness when things like region pricing and such are being announced.

I've significantly cut down on my purchases here in large part because of the disrespectful way that the ownership has been handling the changes.
...
No, whenever it's come up they said they weren't doing it because of the security problems related to it. They've done an about face and have the gall to make it sound like this isn't a security problem.
Uh...you've been here long enough to remember all of TET's screwups. He wasn't perfect, and some of the things he did caused a lot of forum outrage.

It sounds like they've solved the security problems by not storing anything that can be used at another store. So yeah, they're still not doing anything insecure afaik. Plus, the site security upgrade and all that.


avatar
Kristian: This seems to be the key statement in the news post which does mean that they DID keep to their promises:

" your entered payment data isn't actually kept anywhere on GOG.com. "
Exactly. They're storing a single-site token that won't work elsewhere.

I have no idea why hedwards is so upset about this - GOG isn't breaking any promises, they are delivering more convenience, and they've clearly been thinking about security because they've upgraded the whole site. The only thing I can think of is that hedwards didn't actually read the post.
Post edited March 18, 2016 by Gilozard
avatar
JMich: No. Steam saves the full CC details, not use a token. Unless that has changed recently.
avatar
Gersen: Are you sure about that ? the last time I made a purchase on Steam (a couple of weeks ago) it offered me to create a "PayPal Billing Agreement" which is basically PayPal version of the Token thingy.

But maybe it depends of the billing region...
No, I'm not sure. Last time I purchased something through Steam, it was on January with a debit card, and Steam would remember the full details, even if it wouldn't show all the digits to me. No idea how it interacts with PayPal.
Two questions to GOG staff BEFORE I tick the store card option,,,
1, Can I store more, than one card?
2, Is there any way to remove an already stored card? (other than it's expiring after a few years...)
avatar
IFW: Two questions to GOG staff BEFORE I tick the store card option,,,
1, Can I store more, than one card?
2, Is there any way to remove an already stored card? (other than it's expiring after a few years...)
Good questions. I hope a blue one can answer them. Maybe not on Friday nights though. :)
avatar
IFW: 1, Can I store more, than one card?
2, Is there any way to remove an already stored card? (other than it's expiring after a few years...)
1, I don't know.
2, This is answered in the NEWS post.
avatar
Gersen: ,<stuff>
Thanks for the answers. Guess I'll be keeping an eye open for tokens mentioned on store sites. Don't recall seeing that before.
avatar
IFW: Two questions to GOG staff BEFORE I tick the store card option,,,
1, Can I store more, than one card?
2, Is there any way to remove an already stored card? (other than it's expiring after a few years...)
Yes and yes.
Nice feature and I'll probably use it once my current card expire.
GoG has made my card number enter my muscle memory so buying really isn't harder than a mouse click.
avatar
IFW: Two questions to GOG staff BEFORE I tick the store card option,,,
1, Can I store more, than one card?
2, Is there any way to remove an already stored card? (other than it's expiring after a few years...)
avatar
Destro: Yes and yes.
Thanks for the answers. :)
avatar
Johny.: If we even, speculating, theoretically, got hacked (no we won't! :P ), only thing that hackers could do with those tokens is make GOG.com payments, nothing more. :)

update: he wouldn't be even able to do GOG.com payments. So no payments for hackers.
Even when this is the most secure way to store payment details there's still the risk an account gets compromized. And while a hacker in the past has been lucky when he got an account with a lot of games he now may even be more lucky when he gets an account with a stored credit card to purchase all the missing games.

I would prefer when GOG would change their two step login so that it does not require persistent cookies and more people could use it (seeing how many people complained about that). Without more secure accounts storing credit cards for later use only means increasing the risks.
avatar
eiii: Even when this is the most secure way to store payment details there's still the risk an account gets compromized. And while a hacker in the past has been lucky when he got an account with a lot of games he now may even be more lucky when he gets an account with a stored credit card to purchase all the missing games.

I would prefer when GOG would change their two step login so that it does not require persistent cookies and more people could use it (seeing how many people complained about that). Without more secure accounts storing credit cards for later use only means increasing the risks.
At least CC payments can be revoked rather easily, which will make short work of bought gift codes and redeemed games.
Hacked accounts are probably the biggest weakness in this concept. But the current two-step auth should make this a lot harder.

Actually I don't get the cookie paranoia. Clearing everything on exit? That's just crazy. It's wise and important to block tracking cookies and stuff like that, but first-party cookies - where should be the harm in that? If someone is able to steal my session cookie he will do it when it's in use even if I delete it from my computer. A way to prevent this would be hash the IP address into the cookie - which on the other hand would be PITA for people with public IP often changing (ie. mobile users).

That said - the concept is very sound, and I will even promote to my bosses to use a similar solution for the site I'm currently developing. Esp. since there are so many easily understandable explanations how it works in this very thread.
avatar
eiii: Even when this is the most secure way to store payment details there's still the risk an account gets compromized. And while a hacker in the past has been lucky when he got an account with a lot of games he now may even be more lucky when he gets an account with a stored credit card to purchase all the missing games.
"Cracker" would be asked for security code of that card. And he would have 3 tries only (counted on GOG.com side).

If he would use your card either saved or not saved (keylogger for example) - you would get this money back either way.

avatar
eiii: I would prefer when GOG would change their two step login so that it does not require persistent cookies and more people could use it (seeing how many people complained about that). Without more secure accounts storing credit cards for later use only means increasing the risks.
How would you store info about 2-step then, if not in cookies? Based on IP? Then, if you would log in at - let's say internet coffee - in private mode, other person in that place (or local network) wouldn't be asked for the second step of verification. Did you encounter better solutions?


P.S. Still, you have all the rights to not save your card details. :)
Post edited March 20, 2016 by Johny.