This plugin will allow you to save credit card information so that you can process it offline through a credit card processing machine.
Features:
- Min Order Total
- Encryption
- No Open Cart System Files modified
- Has Credit Card validation built in
- Works Universally
Security:
The credit card information is split into 2 parts, one is sent to your email while the other is saved in the store. The version that is saved in the store is MCRYPT_RIJNDAEL_256 and base64 using a 40 character randomly generated key that is md5 hashed.
http://www.opencart.com/index.php?route ... order=DESC
If you have any option requests or questions, let me know here!
MD5 is still questionable regarding the produced result of this particular algorithm but it is to know if the credit card information by being split into 2 parts is under PCI Compliant ?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
MD5 is only used to hash the key that is used to decrypt the PAN (The CC number). Here is text from the PCI compliance check list.
2.3 Render PAN unreadable anywhere it is stored,
(including data on portable digital media, backup
media, and in logs) by using any of the following
approaches:
One-way hashes based on strong
cryptography (hash must be of the entire
PAN)
Truncation (hashing cannot be used to
replace the truncated segment of PAN)
Index tokens and pads (pads must be
securely stored)
Strong cryptography with associated key
management processes and procedures.
Notes:
It is a relatively trivial effort for a malicious
individual to reconstruct original PAN data if
they have access to both the truncated and
hashed version of a PAN. Where hashed
and truncated versions of the same PAN are
generated by a payment application,
additional controls should be in place to
ensure that hashed and truncated versions
cannot be correlated to reconstruct the
original PAN.
The PAN must be rendered unreadable
anywhere it is stored, even outside the
payment application.
I believe this is accomplished in 2 ways, the first part of the credit card data is encrypted and not complete, so its unreadable when stored. The second part of the credit card information is incomplete, and thus unreadable. It is also not stored after authorization. (which should be same day). So in this instance, 2 methods are being used, Strong cryptography, and Truncation, both of which are listed above.
Obviously there are other things as a vendor you must do to keep compliant, such as using an SSL certificate, keeping access to the email and or order to a minimum, after a month or so, generating a new key for the encryption helps, self PA-DSS scans (get thehttps://www.pcisecuritystandards.org/se ... =PCI%20DSS pdf and go through the list to make sure you are meeting all the criteria)
2.3 Render PAN unreadable anywhere it is stored,
(including data on portable digital media, backup
media, and in logs) by using any of the following
approaches:
One-way hashes based on strong
cryptography (hash must be of the entire
PAN)
Truncation (hashing cannot be used to
replace the truncated segment of PAN)
Index tokens and pads (pads must be
securely stored)
Strong cryptography with associated key
management processes and procedures.
Notes:
It is a relatively trivial effort for a malicious
individual to reconstruct original PAN data if
they have access to both the truncated and
hashed version of a PAN. Where hashed
and truncated versions of the same PAN are
generated by a payment application,
additional controls should be in place to
ensure that hashed and truncated versions
cannot be correlated to reconstruct the
original PAN.
The PAN must be rendered unreadable
anywhere it is stored, even outside the
payment application.
I believe this is accomplished in 2 ways, the first part of the credit card data is encrypted and not complete, so its unreadable when stored. The second part of the credit card information is incomplete, and thus unreadable. It is also not stored after authorization. (which should be same day). So in this instance, 2 methods are being used, Strong cryptography, and Truncation, both of which are listed above.
Obviously there are other things as a vendor you must do to keep compliant, such as using an SSL certificate, keeping access to the email and or order to a minimum, after a month or so, generating a new key for the encryption helps, self PA-DSS scans (get thehttps://www.pcisecuritystandards.org/se ... =PCI%20DSS pdf and go through the list to make sure you are meeting all the criteria)
My Blog / Site
$1 Hosting and Free Domain Name for OpenCart, Wordpress, Joomla, Droopal
Who is online
Users browsing this forum: No registered users and 15 guests
