Topic
2 replies Latest Post - ‏2013-02-04T11:28:18Z by LindyHopper
SystemAdmin
SystemAdmin
8614 Posts
ACCEPTED ANSWER

Pinned topic Credit card number encryption

‏2013-01-29T22:42:51Z |
Hi,

Whenever we are using a credit card number in WCS the first 12 characters of the card number are getting hidden when transferred to SAP for Inventory processing. Is there any way to not encrypt the credit card number so that the entire 16 digit number is passed to SAP? Also, where these data stored in db?
Updated on 2013-02-04T11:28:18Z at 2013-02-04T11:28:18Z by LindyHopper
  • Raj.S
    Raj.S
    427 Posts
    ACCEPTED ANSWER

    Re: Credit card number encryption

    ‏2013-01-30T05:45:39Z  in response to SystemAdmin
    Hi,

    You will have to exclude the keyword "account" from getting masked, which can be done in PaymentSystemPluginMapping.xml. The below link would help you with granular details.

    http://pic.dhe.ibm.com/infocenter/wchelp/v7r0m0/topic/com.ibm.commerce.payments.events.doc/refs/rppppcmapper.htm
    Please make sure your application is complaint to PCI regulations before making any such changes to the sensitive data.

    Reference : http://pic.dhe.ibm.com/infocenter/wchelp/v7r0m0/topic/com.ibm.commerce.pci.doc/concepts/csepcioverview.htm
    Rgds,Raj.
    • LindyHopper
      LindyHopper
      17 Posts
      ACCEPTED ANSWER

      Re: Credit card number encryption

      ‏2013-02-04T11:28:18Z  in response to Raj.S
      I'd have thought turning off encryption in that manner would be deeply unwise.

      Instead I would suggest, decrypting the ACCOUNT value using WCS decryption and immediately re-encrypt it using a shared key with the SAP system, so it remains securely encrypted throughout the transfer. Data in ORDPAYINFO is encrypted using the merchant key etc and can be decrypted in the same way.

      I feel sure that sending an unencrypted credit card number between systems would not be PCI compliant, leaving the company open to massive fines if data gets leaked.

      Regards.