If it is too much to enter your credit card each time then just set up a PayPal account and use that. All you then have to do is enter your PayPal password and all is done.
GOG will also save your decision to use PayPal too.

Because they're psychopathic assholes that don't worry about the consequences of their behavior.

Really, the better question is why do they store all that information. Mostly they do it to make it easy for people to buy things without having to physically get the card out and type the information in. It's certainly not something they do out of the goodness of their heart, they do it because it makes it more likely that you'll make impulse purchases.

GOG saves the only information they need, the transaction code. It's also basically worthless to anybody that normally likes to steal or defraud people.
Also that 3 digit security code on the back.

You should actually be gladful that they even did not have did sort of idea to put in practice.

A retailer storing credit card information is very very bad for many reasons, so GOG is in the right here. This information should be kept by as few parties as possible - ideally limited to payment services such as PayPal, who are specialised in dealing with this sort of thing. Incidentally, you can use PayPal to pay for your GOG games.

Steam is especially terrible at how they handle credit cards (I'm honestly surprised that they're still permitted to process cards at all, even considering all the money they bring to CC companies), so I'm glad that GOG didn't follow in their footsteps.

It's a psychological hurdle to help prevent people from buying too many games too quickly, so they don't become addicts who need "stop buying games" therapy.

I do see some great points here, since i started buying from GoG I have tried to use it first, if something is really dirt cheap on steam I'll buy it, or if it is not on GoG but seems really good. I do love where they are going with the GoG Galaxy. I do have a feeling that a lot of people would be turned away in favor of simpler systems, and I'd like to see people come to GoG a bit more, whether they be lazy as or not., as one of you suggested.

Sales are sales, and getting more people to buy here than from other sites should be their goal. Maybe some of you want to be an elite few that are better than everyone because you use GoG. I want for them to do better, get more sales, use the money to grow and make Galaxy even a better service and maybe get more devs and publishers to offer more DRM free games so that they can get their game on GoG. Everyone now days wants their game on steam, and steam is full of horrid games. I'd like to see more newer titles here myself.

As for myself I plan on using GoG as much as I can, I personally don't like pay pal since it is harder to take money out, unless the changed it from a few years back. Though, I'll find something to make it easier or just deal with it, how it is. But many customers won't work with it. They love steam as much as you all love GoG. I'd rather people come up with ways to make it safe and easy than to just post here how horrible and unsafe steam is.

You may love GoG but that does not mean you can't want them to get better...and it shouldn't mean you don't want them to get more sales, even from idiots and lazy people that buy too many games.

While it's common these days to save credit card information, to make purchases easy and thus increase sales, it's also risky. It's risky for the people who keep the credit card data, and it's risky for the end user.

If GOG wants to develop the capability to provide "one click buy" or similar, they should really go with a third party payment processor (e.g. Stripe). The problem is at their volume which isn't amazingly high (amazon, steam) but very high, it will take a notable cut out of their profit margin.

Its a security liability and GOG simply isn't big enough for a firm to come by and say, 'we'll cover that.'

All are valid points, but the situation is usually much simpler than that. If you store sensitive information, you are bound by laws and all sorts of security compliance/conformance requirements. The specifics depend on the kind of sensitive info (health records, financial info, etc...), and of course the jurisdiction that applies to your company (US has very different requirements than the EU).

To satisfy all these requires a lot of investment, from technical changes to your infrastructure, to hiring a bunch of lawyers to take care of the compliance stuff, to getting certified by the authorities in the field and future audits.

In short, GOG probably saves a lot of money by not saving your credit card info.

But just ideas of how to simplify it, couldn't a cookie store it, or the GoG galaxy program, save it and be recalled later? That would be client side, so GoG is not storing it, but my hard drive is. And if someone steals my computer they probably can steal my credit card too :p

For all intensive purposes, ordering would work like steam or amazon for the user, but the program would fetch the stored data on the hard drive when you go to order something. It might still be a little more risky since it is on the PC but not much more than now. And I think would bring a higher volume of traffic.

Everyone is so quick to shoot down others ideas, and not offer better solutions. I get it, storing data can be bad, so I found a solution that I think satisfies the need of people who want easier check out, and the needs of GoG to avoid safety issues, and like with steam and amazon, it should still be optional, so if you do not like it, don't use it. If someone reads this and still does not like it, ok...but try to come up with something that makes GoG better, and keeps the transaction as safe as it is now, and includes what you want and what am asking about here.

1 - What's the point in trying to armchair-design payment processing systems? You obviously don't work in the field.

2 - You DO NOT want secure data stored as a cookie to be sent to the domain with *every single request* (this is how cookies work).. This just makes it that much easier to acquire during redirection attacks on the browser, and is totally not needed.

3 - It wouldn't help anyway, because it would mean that every single request coming from your browser to the domain would contain the sensitive data, so it would be even less controlled, even on the server side.

You claim people are shooting down ideas without offering solutions, but they *are* pointing out solutions. For example I said using Stripe could achieve this, and it would be more secure than the current situation (Stripe's whole business is secure transactions and they have a lot of smart people who've been successful at other online payment organizations). You're just objecting because they don't agree this would be a win.

Just like jsjrodman said above, cookies are really, really a bad idea to do this.

Although we have mathematically proven security primitives (i.e. lego blocks of security), using them to actually build a working, secure payment protocol is not an easy task, and without going into technical details, every design choice in the state-of-the-art systems are made for a good reason.

I think you are right that some sort of client-side solution is *technically* possible (but not easy, i.e., how do you secure the stored data on disk? Well, you encrypt it, but where do you store the decryption key in this case? And then how do you secure the key? .... ). The best they could come up with so far are the password managers that can also store autofill data for you. Use that to save your credit card, and you are all set, no need to bother GOG :)

There are non-technical problems there, too. You don't simply take a user's credit card info, and save it on their disk without their knowledge. If you do, there will be consequences for the user since you are increasing their exposure to possible attacks. (Stupid example: What if the user sells his laptop without securely deleting the hard drive?) And there'll be consequences for companies too, that they will get their ass sued on day 1.

User consent is also not an easy task. Good luck designing a good way to convey all that information to non-technical users, making them understand their implications, and still, when you eventually get sued (because you always do), convince the court that you did everything in your power to get informed consent.

*sigh* I do work in the field, not game design but other IT, and it has been awhile since I learned web design but I thought a cookie could be used to just talk to the website when you go there, so like when I go to buy something it could pull that info when I go to check out. But regardless it was a spitball idea, to offer something constructive. You did not, however, say why having the GoG Galaxy save it would not work...nor did you come up with anything that might make GoG offer faster checkout without a 3rd party.

And sadly, while you have a good point, I'd sooner keep my credit card handy, than to go though Stipe, but most potential users will not use it nor go digging for their card. I do not object because nobody agrees, but because everyone is so firm on the idea that the GoG gods that they are can't possibly be seen as not user friendly to a large group of people. This is not really about me, as I said I have my solution to buy games here.

What is the point of arm-chair design? Maybe we could come up with something useful? Make GoG a better place? Make it bigger? Make devs fight to get their games on here like the used to when steam was halfway respectable? It may be point less, but I tried. Maybe all the GoG fans are too into the way things run here, I know the steam fanbase is horrible now days...I would hope here maybe people could kick around some ideas, think outside the box and find a way to get more people involved. Even if you never use it yourself, there is nothing wrong with more sales and games here, i'd probably use it though if it could be made safe, and many who would not buy games here now might start.


@onarliog, you replied while posting

I was seeing it as an option, like when you go to check out, it would say, "Would you like us to store you credit card information on your computer for easy check out next time" and you can tick the check if you want to...or not. It would not have to be encrypted, I'd think they could say if it was or not.

Who will take responsibilities when GoG get hacked? The user that tick the box to store credit card information?

Oh boy. Believe me, it absolutely has to be encrypted :)

Anyway, websites can't just write arbitrary stuff on your disk, so you would need to go through a third party in any case, like a browser extension at the least. What you want is really one of those password & credential managers that encrypt and save this information on the cloud (so that you can access it on any computer), this is an already solved problem. Another advantage is it automatically works for all websites. This is the correct way to implement it on the client side, and if anybody comes up with a better idea, it is probably wrong. (Creative thinking is really discouraged in the computer security community :) Not kidding.)