PCI comliance and DataPort app

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
paul.e.allen
Ensign (ENS)
Ensign (ENS)
Posts: 4
Joined: Mon Sep 21, 2009 6:40 am

PCI comliance and DataPort app

Post by paul.e.allen » Mon Sep 21, 2009 12:22 pm

One of the reasons we plan on using the hosted AbleCommerce solution is to avoid having to deal with PCI compliance issues ourselves. However, I just realized that installing and using the DataPort utility on a non-compliant machine (from a non-compliant network) may invalidate the compliance built into the AbleCommerce hosted solution.

Could anybody comment on this? Thanks.

I don't see a way to get the custom backend reports that I would like without either installing custom admin pages in our deployment or using the DataPort utility.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: PCI comliance and DataPort app

Post by Logan Rhodehamel » Wed Sep 23, 2009 11:24 am

At first glance, this almost seems like a question only a qualified assessor could give a final answer on. But let me see if we can try to figure this out a little.

The first question would be, what kind of reports do you intend to run? I assume they are going to be order reports, but...

The second question would be, the machine that's downloading the data - is it going to be web facing? Accessible to incoming connections from the internet? Or is it going to be a private machine behind a firewall?
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

paul.e.allen
Ensign (ENS)
Ensign (ENS)
Posts: 4
Joined: Mon Sep 21, 2009 6:40 am

Re: PCI comliance and DataPort app

Post by paul.e.allen » Wed Sep 23, 2009 11:39 am

Logan_AbleCommerce wrote: The first question would be, what kind of reports do you intend to run? I assume they are going to be order reports, but...
Right basically order reports, but as long as the reports don't include credit card numbers, then they are kind of all the same right?
Logan_AbleCommerce wrote: The second question would be, the machine that's downloading the data - is it going to be web facing? Accessible to incoming connections from the internet? Or is it going to be a private machine behind a firewall?
The machine that is downloading the data wouldn't be a server, but would be behind a firewall. However, it wouldn't be a PCI compliant machine, or on a PCI compliant network.

Thanks for any guidance you can provide.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: PCI comliance and DataPort app

Post by Logan Rhodehamel » Tue Sep 29, 2009 9:25 am

I had to investigate this a little. From what I can see, PCI covers storage of cardholder data. The pieces of sensitive data which can be collected in AbleCommerce include the card number and the security code. Only the card number is ever recorded to the database, and you can even switch this off if you desire within our merchant admin.

If you choose not to store credit card numbers, it seems impossible for your download of the data to violate PCI as there is no storage of sensitive data.

If you choose to store credit card numbers, you must set an encryption key to be PCI compliant (as noted in the secure implementation guide). In that event, DataPort cannot access the card data. You can download it, but it's AES encrypted so the data looks like this:

Code: Select all

          <Payment>
            <PaymentId>2</PaymentId>
            <OrderId>2</OrderId>
            <SubscriptionId>0</SubscriptionId>
            <PaymentMethodId>6</PaymentMethodId>
            <PaymentMethodName>Visa</PaymentMethodName>
            <ReferenceNumber>x1111</ReferenceNumber>
            <Amount>1190.00</Amount>
            <CurrencyCode>USD</CurrencyCode>
            <PaymentDate>2009-09-29T09:06:33</PaymentDate>
            <PaymentStatusId>0</PaymentStatusId>
            <PaymentStatusReason />
            <CompletedDate>0001-01-01T00:00:00</CompletedDate>
            <EncryptedAccountData>ewMDExbNCRw/5IcowYn/hVeIfaVGLlPZe3kiUGfpWkGE6hlLeRDVoie/riQKsltfZW4gcU48IPqQ7QSZCTpBAC5A5vrPq2K8+pP6TNLQ5g0C0mezWaZYmkL1npgnJDdZwPiCF6pyPGIJCvil56vCtpg5BkVqmzWm4s2N16oUd9c=</EncryptedAccountData>
            <ReCrypt>false</ReCrypt>
            <Transactions />
          </Payment>
I can't absolutely say that downloading of the encrypted data would make you subject to other PCI related rules - the ones related to your network security for example. That's a question only a qualified assessor could answer.

I would say the options are these:

1) create custom reports on the server.
- this is not without it's own considerations... for example if you customized a report so that it could be accessed by the public and showed credit card numbers, that would not be PCI compliant even if our software is PA-DSS certified.

2) Do not store credit card numbers
- the only drawback here is if there is a temporary issue with your realtime gateway, or something goes wrong during the transaction, you have to contact the customer to complete the order. But in this case, it becomes very hard to violate PCI compliance as we have no cardholder data to secure.

3) Download data and build reports locally
- The data download is secure in the sense that it's AES encrypted with a private key that only the server (and your authorized backup persons) have access to. It can't be read without that key. I'm not sure if that qualifies you as having access to cardholder data. But in any case, have you reviewed the self-assessment questionnaire for PCI?

For our upcoming version of DataPort, I am going to ask that we include an option to exclude the encrypted data from the download completely. That will take you back to option #2 with the dataport utility.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

paul.e.allen
Ensign (ENS)
Ensign (ENS)
Posts: 4
Joined: Mon Sep 21, 2009 6:40 am

Re: PCI comliance and DataPort app

Post by paul.e.allen » Tue Sep 29, 2009 9:31 am

Thanks a lot for the info. Very helpful.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: PCI comliance and DataPort app

Post by Logan Rhodehamel » Tue Sep 29, 2009 9:35 am

At the tail end I mentioned a new version of DataPort. I am going to have this feature change made today, so that orders can be downloaded while excluding the encryptedaccountdata field. I anticipate a new version of our dataport utility will be available within weeks.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

loumay
Ensign (ENS)
Ensign (ENS)
Posts: 1
Joined: Fri Nov 18, 2011 4:43 pm

Re: PCI comliance and DataPort app

Post by loumay » Fri Nov 18, 2011 5:28 pm

Thanks for the information guys, this is really useful and good to know for newbies like myself.

rogaine side effects,rogaine foam for the hair.
Lou
Last edited by loumay on Mon Dec 12, 2011 9:40 am, edited 1 time in total.

rymay
Ensign (ENS)
Ensign (ENS)
Posts: 5
Joined: Fri Nov 18, 2011 4:58 pm

Re: PCI comliance and DataPort app

Post by rymay » Fri Nov 18, 2011 9:49 pm

loumay wrote:Thanks for the information guys, this is really useful and good to know for newbies like myself.

rogaine side effects,rogaine foam for the hair.
Lou

I second that. Don't worry you're not the only newb here. :)

Post Reply