Credit Card Number Security

Hi all. I'm just getting started with an evaluation of nopCommerce and was browsing the application structure. I was especially interested in how credit card information was managed and secured by the application. There were a couple of things that I noted that concerned me a  bit. I was hoping that the community might comment on them:

1) Per PCI DSS 1.1, storage of CVC2/CVV2/CID is not allowed, even in encrypted format. I noted that on the Nop_Order table CardCVV2 is stored

2) TripleDES is used to encrypt card information but the private key is stored in the same database as the card information, which although not explicitly violating PCI, would appear to be a poor key management approach.

Please note that I'm not bashing here I think this is a wonderful application with lots and lots of potential. I'm more interested in if anyone else sees the above as concerns and if so, thoughts on approaches for addressing those concerns.

-Ed

1) CVV is stored only for "Manual Processing" payment method.
2) The private key is not stored in the same database. It's stored in web.config

Thanks for the update. I can see now the storage of CVV2 for manual processing as tested againstr a PayPal sandbox account. However, the encryption key appears to be stored in Nop_Setting table as Security.EncryptionPrivateKey and retrieved via the settings manager. Where in web.config is it located?

-Ed

Sorry. You're aboslutely right. Encyption key is stored in the database.

IMO getting some certification behind nopCommerce should be on the roadmap.  I really like the app much better than most of the others out there, but many of our clients specify PCI certification, PA-DSS, etc.  If we had some certification to show clients, we'd drop ASPDotNetStorefront in a heartbeat.

While having the ability to change the private key from within the admin console is convenient, what is the impact to changing it when you already have encrypted data?  Does the system go through, unencrypt using the old key and reencrypt with the new?  Or do you instantly lose access to all of that data?

just tried it and basically it re-encrypted everything (at least on the card number field). The data was not corrupted.

a.m. wrote:

Currently I can only accept payments using "Manual Processing".  In order for me to become PCI compliant it would be great if the CVV was deleted from the database after the order has been processed.

Is it in the roadmap to allow the adminstrator the option of having the CVV deleted after the order is marked Paid? Shipped? Delivered?

Thank you for all your efforts!

POOHYEAGER wrote:
Thanks for suggestion. I've just created a work item for this task

I wanted to add some input to this topic.

We use manual processing on our current solution, LaGarde StoreFront.

One feature we like, is that all credit card information is encrypted in the database.

In order for us to see it (while processing the order) we must enter a private key.

After finishing with the order and signing out, it's back to being encrypted.

Another feature they offer is the ability to have all credit card info removed on a schedule.  Like, "remove CC info after 1 week" or 30 days, etc.

In order to qualify for some certifications, you need to store no card information at all.

Just another suggestion, for this great product.

David