logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
Joe Payne2  
#1 Posted : Tuesday, September 15, 2020 8:00:24 AM(UTC)
Joe Payne2

Rank: Advanced Member

Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564

Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
It seems like after 13 years we'd be enabling the store security encryption by default by now. But even in 9.0.2 a fresh install does not have encryption enabled by default.

Why not?

I see no technical reason why it couldn't be turned on and seeded with a random GUID value immediately after install.

Too many merchants fail to realize the encryption must be specifically enabled before their various gateway credentials are actually secure in the store SQL database.

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S  
#2 Posted : Monday, September 21, 2020 1:16:17 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Joe,

The process of creating an encryption key involves saving a physical file and putting it in a safe location. It's supposed to be handled only by certain individuals (e.g. owners, top-level people), per PA-DSS requirements.

I suppose it could be done, but it would add another complexity to the installation, and then it adds another layer of risk because the person installing the software is not typically the person authorized to handle key storage.

Again, PCI has very specific requirements on the encryption. We provide the warning immediately after installation, but it sometimes isn't enough for merchants to take action.

Enforcement seems like the best option.

Let me know what you think,

Katie
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Joe Payne2  
#3 Posted : Tuesday, September 22, 2020 1:40:30 PM(UTC)
Joe Payne2

Rank: Advanced Member

Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564

Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
My thought is:

Enable the encryption using a random GUID value as the last step in the installation. And then change the existing reminder to enable encryption to a reminder to download the encryption key backup file. Ideally keep track of the last download date in store settings and remind admin users every 90 days.

As for complexity, it's one line of code to encrypt/recrypt the data. Shouldn't be an issue.

Since this is only for new installs, the performance impact will be zero. Even gateways aren't configured yet at that point in the install.

As for security, the installer would already have full access since they set both the first super user login and the SQL db credentials. But there's nothing yet to secure in the store since it's a fresh install.

Don't trigger a download after install. PA-DSS wouldn't like that I'm sure.

Katie S  
#4 Posted : Wednesday, September 23, 2020 12:47:45 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Joe,

This all seems very reasonable and certainly makes sense. I'll add it to Jira as a new feature request.

Thanks again,

Katie

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Users browsing this topic
Guest (2)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.