Announcement

Collapse
No announcement yet.

encryption requirement and/or removal of encrypttion

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    encryption requirement and/or removal of encrypttion

    Currently we use the PayFlowPro payment gateway that does not store the CC number but only the authorization of the cards. Originally in Wombat we had to turn on the order encryption to "pass" that step on the PA-DSS checklist.

    Is it still required to do order encryption when you don't store CC information in the order for PCI rules and if not how do you remove the encryption so I don't have to enter the passphrase to decrypt already encrypted information on every order to charge the card or print a invoice?

    Thanks

    #2
    Re: encryption requirement and/or removal of encrypttion

    Yes you always need to have encryption enabled even if you don't store the card number.
    Thanks,

    Rick Wilson
    CEO
    Miva, Inc.
    [email protected]
    https://www.miva.com

    Comment


      #3
      Re: encryption requirement and/or removal of encrypttion

      I don't retain or store credit card numbers and never have but I still need an up-to-date encryption key and passphrase. The one that I am using dates back to 2010 so it clearly must be replaced. The problem is that I cannot create a new one because I cannot remember the old one.

      PCI-DSS requires that a strong passphrase be used containing 23 characters of gibberish and that it not be written down or stored. My brain is inadequate for that task and I am pretty sure that the requirements for nuclear missile launch codes are less stringent.

      So, I'm stuck between two ridiculous PCI requirements, encrypting data that does not need encryption and memorizing my 23 character missile launch code.

      Anyone have any ideas? I'll bet the guy that hacked into the Target database could help here.
      Bill Dunn
      SunCam, Inc.
      http://www.SunCam.com
      [email protected]

      Comment


        #4
        Re: encryption requirement and/or removal of encrypttion

        Actually our tool can solve this problem. Just archive your old data and it'll let you update without knowing your old key.

        If you need help, check the reference guide: www.mivamerchant.com/conference or contact support and they'll help.
        Thanks,

        Rick Wilson
        CEO
        Miva, Inc.
        [email protected]
        https://www.miva.com

        Comment


          #5
          Re: encryption requirement and/or removal of encrypttion

          OK, so archiving just removes the payment information (which I do not retain anyway) but everything else is available for an end of month batch report. Archiving is not reversible so I am a little nervous about archiving ALL orders.
          Last edited by SunCam; 01-18-14, 12:03 PM.
          Bill Dunn
          SunCam, Inc.
          http://www.SunCam.com
          [email protected]

          Comment


            #6
            Re: encryption requirement and/or removal of encrypttion

            Correct, it only deletes the references to the payment data (such as your auth code and last 4) but you're right it's not reversable without restoring from backup.
            Thanks,

            Rick Wilson
            CEO
            Miva, Inc.
            [email protected]
            https://www.miva.com

            Comment


              #7
              Re: encryption requirement and/or removal of encrypttion

              Hi Rick: This thread prompted me to look at our PA-DSS checklist. I see a number of fails there. Is there guidance provided by Miva as to how these fails can/should be resolved?
              That Launch Encryption Key Wizard link at the bottom of the page scares the hell out of me. What kind of consequences might I encounter by doing that?
              All help understand what this is about will be appreciated.
              Larry
              Larry
              Luce Kanun Web Design
              www.facebook.com/wajake41
              www.plus.google.com/116415026668025242914/posts?hl=en


              Comment


                #8
                Re: encryption requirement and/or removal of encrypttion

                If you'd like email me a screen shot of your checklist and I'll point you in the right direction.
                Thanks,

                Rick Wilson
                CEO
                Miva, Inc.
                [email protected]
                https://www.miva.com

                Comment


                  #9
                  Re: encryption requirement and/or removal of encrypttion

                  Hi Rick: I just opened a support ticket on this:
                  "Hello support: I'm trying to clean up our PA-DSS checklist failures. Can you help me understand the following issues?
                  1. Primary Database not Located on Web Server: Shows it is on localhost. Why?
                  2. Primary Database Password Encrypted. How can this be fixed?
                  3. Private Keys Stored in Secondary Database. How is this fixed?
                  4. Private Key Database on Different Server Than Primary Database? How is this fixed?
                  5. Private Key Database Password Encrypted ???
                  6. Order Encryption Enabled For all Stores ???
                  7. Current Order Encryption Key Less Than 1 Year Old For all Stores Will this be fixed if #6 is fixed?
                  8. Current Order Encryption Key Created Post-Upgrade For all Stores Fixed with #6 above?

                  What does the encryption migration wizard do?"

                  The above are all fail that need fixingLarry
                  Last edited by wajake41; 01-19-14, 03:15 PM.
                  Larry
                  Luce Kanun Web Design
                  www.facebook.com/wajake41
                  www.plus.google.com/116415026668025242914/posts?hl=en


                  Comment


                    #10
                    Re: encryption requirement and/or removal of encrypttion

                    #1 has to do with where your dbase is located, support can help you with that.



                    The Migration wizard solves these:

                    2. Primary Database Password Encrypted. How can this be fixed?
                    3. Private Keys Stored in Secondary Database. How is this fixed?
                    4. Private Key Database on Different Server Than Primary Database?

                    How is this fixed? (this has to be fixed in conjunction with us moving #1 though)

                    5. Private Key Database Password Encrypted ???

                    Yes 6, 7 and 8 should all be fixed with adding (or updating) your encryption key.


                    Thanks,

                    Rick Wilson
                    CEO
                    Miva, Inc.
                    [email protected]
                    https://www.miva.com

                    Comment


                      #11
                      Re: encryption requirement and/or removal of encrypttion

                      Hi Rick: Thanks for the response. I've asked support to do #1. I am familiar with dBase from 30 years ago. Are we talking some legacy file when you mention dbase or is this shorthand for the site's database?
                      Regarding the encryption key wizard: I tried this on our dev site but it didn't seem to fix any of the fails in the PA-DSS when i selected leave keys in current location.
                      After that I was also confused about where the encryption was to be stored. Is there a guide for this? I tried the mySQL storage but didn't have any idea about what to use for connection string or connection flags.
                      Still confused (as usual), Larry
                      Larry
                      Luce Kanun Web Design
                      www.facebook.com/wajake41
                      www.plus.google.com/116415026668025242914/posts?hl=en


                      Comment


                        #12
                        Re: encryption requirement and/or removal of encrypttion

                        I was using the term as shorthand for database, not dbase the standard.

                        The encryption key can be stored on the primary web server. It's the MySQL database that holds the rest of your data that needs to move to another server.
                        Thanks,

                        Rick Wilson
                        CEO
                        Miva, Inc.
                        [email protected]
                        https://www.miva.com

                        Comment


                          #13
                          Re: encryption requirement and/or removal of encrypttion

                          Hi Rick:
                          Making progress with this:
                          Support has provided this link regarding the PA-DSS checklist: https://support.mivamerchant.com/sup...icle/View/1063 It's very helpful.

                          Now I'm down to two PA-DSS fails:
                          1. Primary Database not Located on Web Server: Shows it is on localhost.
                          2. Private Key Database on Different Server Than Primary Database.

                          Support says that #1 requires a dedicated server. Would like a confirmation of that.
                          Support says the #2 will be resolved by using the Encryption Key Migration Wizard. I tried that and was unsuccessful.

                          Bottom line: Can i live with these two fails?

                          Larry
                          Last edited by wajake41; 01-21-14, 02:48 PM.
                          Larry
                          Luce Kanun Web Design
                          www.facebook.com/wajake41
                          www.plus.google.com/116415026668025242914/posts?hl=en


                          Comment


                            #14
                            Re: encryption requirement and/or removal of encrypttion

                            I can't answer about your willingness or ability to live with those 2 fails. We don't require you to solve them.

                            #2 would be solved by solving #1.
                            Thanks,

                            Rick Wilson
                            CEO
                            Miva, Inc.
                            [email protected]
                            https://www.miva.com

                            Comment


                              #15
                              Re: encryption requirement and/or removal of encrypttion

                              Hi Rick:
                              I guessing then that you are confirming that #1 requires a dedicated server as I was told by Hostasaurus support.
                              Larry
                              Larry
                              Luce Kanun Web Design
                              www.facebook.com/wajake41
                              www.plus.google.com/116415026668025242914/posts?hl=en


                              Comment

                              Working...
                              X