Displaying credit card numbers

Credit card number should be displayed only to users who have permissions to see them.

Therefore, when you build a custom screen to display credit card number, use the following rules to ensure that this security is maintained:

• CurrentUser namespace contains the attribute ShowCreditCardInfo under the User node. This attribute is true if the current login user does have permission to see the credit card number and false if the current login user does not have the necessary permissions.
• APIs that return credit card number normally return the encrypted credit card number. These APIs also return a DisplayCreditCardNo attribute that contains the last four digits of the credit card.
• Use the DisplayCreditCardNo attribute in conjunction with the showEncryptedCreditCardNo() JSP function to initially show the credit card number as asterisks (*) followed by the last four digits.
• Form a hyperlink on the credit card number that displays only if the logged in user has permission to see decrypted credit card numbers. For example:

   <% if (userHasDecryptedCreditCardPermissions()){%>
      <yfc:makeXMLInput name="encryptedCCNoKey">
         <yfc:makeXMLKey 
  binding="xml:/GetDecryptedCreditCardNumber/@EncryptedCCNo"
  value="xml:/PaymentMethod/@CreditCardNo"/>
         </yfc:makeXMLInput>      
         <td class="protectedtext">
            <a <%=getDetailHrefOptions(decryptedCreditCardLink, 
  getParameter("encryptedCCNoKey"),"")%>>
               <%=showEncryptedCreditCardNo(resolveValue("xml:/PaymentMethod/
  @DisplayCreditCardNo"))%> 
              </a>
          </td>
   <% } else { %>
        <td class="protectedtext"> 
   
         <%=showEncryptedCreditCardNo(resolveValue("xml:/PaymentMethod/
  @DisplayCreditCardNo"))%>&nbsp;
             <yfc:getXMLValue binding="xml:/PaymentMethod/
  @DisplayCreditCardNo"/>&nbsp;
         </td>
   <% } %>

• Then create a pop-up window that opens when the hyperlink is clicked.
• Call getDecryptedCreditCardNumber() in the pop-up window to decrypt the credit card, passing the DisplayFlag attribute as true if the current login user has permissions and false if the current login user does not have permissions.
• Use the output of getDecryptedCreditCardNumber() to display the decrypted credit card number on the screen.

When you configure the getDecryptedCreditCardNumber() API for your screen through the Applications Manager, you must specify a dynamic input so that the DisplayFlag attribute is passed to the API, based on current user's permissions. Here is an example of how you could specify the Input field:

<GetDecryptedCreditCardNumber
DisplayFlag="xml:CurrentUser:/User/@ShowCreditCardInfo"
EncryptedCCNo="xml:/Order/PaymentMethods/PaymentMethod/@CreditCardNo"/>

And specify the Template field according to the following example:

<GetDecryptedCreditCardNumber DecryptedCCNo=""/>

Displaying multiple credit card numbers

When displaying credit card numbers in a list, you might choose to display the DisplayCreditCardNo attribute, which is returned by the APIs that output CreditCardNo.

To append asterisks to the credit card number returned by the API, use the DisplayCreditCardNo attribute and the showEncryptedCreditCardNo() method.

Displaying a list of decrypted credit card numbers in a list involves calling getDecryptedCreditCardNumber() in a loop for each row. This can be an expensive operation, so you may want to display a list of encrypted credit card numbers (shown as **********1234) by using the DisplayCreditCardNo attribute. All APIs that output CreditCardNo return this attribute. Then link the encrypted credit card numbers to a pop-up window that displays a specified credit card number in a decrypted format.