Scope of encryption

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
ojjuan
Ensign (ENS)
Ensign (ENS)
Posts: 4
Joined: Mon Dec 20, 2010 12:09 am

Scope of encryption

Post by ojjuan » Mon Dec 20, 2010 12:18 am

A question about the scope of data encryption...

If an encryption key is configured but I am NOT storing any credit data, is there any other data that is encrypted? If not, then I assume it is fine not to set an encryption key and this should not impact PCI compliance (other requirements aside).

Thanks

ojjuan
Ensign (ENS)
Ensign (ENS)
Posts: 4
Joined: Mon Dec 20, 2010 12:09 am

Re: Scope of encryption

Post by ojjuan » Mon Dec 20, 2010 10:41 pm

A couple other questions

1. If an encryption key is set, can the DB ever be reset to no longer use an encryption key? The use case would be if cc numbers are initially stored but business requirements change later and the encryption is no longer required.

2. The encryption key instructions are a little unclear to me for the section on backup key restoration. It says
The key currently being used will be replaced with the backup
If I understand this correctly, this section (Restore Encryption Key) is actually for when you want to restore a db that has been encrypted. Is the intent of the above explanation meant to indicate for example, if you move the db to a new AC instance, no encryption key would be set, so you would need to restore the data by loading the backup keys? Is this the right way of interpreting this? So while I may technically restoring the key, what I really would be intending to do is restore my access to the data.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Scope of encryption

Post by Logan Rhodehamel » Tue May 17, 2011 12:02 pm

There are some other areas where the encryption key is used. An example I can think of off hand is in the CAPTCHA images. If you don't set an encryption key, the answer to the captcha appears in clear text in the image link.

It's not a well documented but in the field where you type random text to change your key, you can type DECRYPT and it will undo the encryption.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

Post Reply