Credit Card Encryption/Decryption

[redrisk@coleman.com]

Our store accepts credit cards and these card numbers must be encrypted as dictated by PCI guidelines. We also have to temporarily decrypt our card numbers to pass to our back office system.

I have added an encryption key to my store and things are being encrypted now. Is there any method in 7.0.3 to programatically decrypt those using our encryption key?

If not, I will need to add custom encryption to the store so that I can have the ability to encrypt and decrypt both in and out of the AbleCommerce store. If this is what needs to be done can you tell me if there is a way to turn off the encryption in my store after a encryption key has been added?

[Logan Rhodehamel]

I think you want the function CommerceBuilder.Utility.EncryptionHelper.DecryptAES(your_encrypted_string).

[redrisk@coleman.com]

Thanks Logan. If I am writing a console application outside of the AbleCommerce store how do I let my application know which store I am dealing with? I saw functions that would return the encryption key and the the decryptaes was overloaded to accept that key but I don't know how to tell my app which store I am working with?

I hope that made sense. I wrote a simple C# console app and referenced the commercebulder.dll from our development install, it just returns the same string when I use the decryptaes function.

[Logan Rhodehamel]

Hmm... this could be tricky. CommerceBuilder is strongly associated with the ASP.NET context - many functions are going to rely on http/web context. DecryptAES has an overload that accepts a byte array. This is the one you would have to use.

But this is where the tricky part is. The byte array key is one of the data elements in App_Data/encryption.config for your store. Will you be able to access that from your console app?

[redrisk@coleman.com]

Logan,

I am not having any luck. I am running the console app on the same server as my website so have access to everything but even when I pull the string out of the encryption.config and convert it to a byte array and hard code an ecrypted value from the database the DecryptAES function is just returning the same string.

I may need to do some custom encryption. Is there a way to disable the encryption on the site once it is turned on?

Thanks

[Logan Rhodehamel]

but even when I pull the string out of the encryption.config and convert it to a byte array and hard code an ecrypted value from the database the DecryptAES function is just returning the same string.

What do you see in side the encryption config file? Do you see something like <encryptionKey keyData="...

[redrisk@coleman.com]

No, it looks like below, I have replaced the long text string with ...

<encryption configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>...</CipherValue>
</CipherData>
</EncryptedData>
</encryption>

[Logan Rhodehamel]

The file is encrypted by ASPNET. In order to read the values from another application, you would have to decrypt the file.

http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx

Perhaps a quick alternative method would be to construct a temporary ASPNET page that calls EncryptionHelper.GetEncryptionKey. That returns a byte array with your encryption key. You could then convert that to a base 64 value and print to the page. Then you could copy it and hardcode it into your application.

There is not a safe way to disable our encryption.