Announcement
Collapse
No announcement yet.
How secure is the mivadata directory?
Collapse
X
-
I am not using nor referring to the merchdb.dat file or Miva Merchant. But you bring up a good point...Last edited by wmgilligan; 01-10-18, 09:44 PM.
-
and... stop using FTP, go for SFTP
Default FTP uses unencrypted passwords to connect.
Leave a comment:
-
Originally posted by wmgilligan View PostThanks Jonathon, Hostasaurus. In my case, no stores involved - strictly MivaScript. I am assuming the PA-DSS would encrypt because anyone with FTP access could get that file. But if FTP access is limited, then no real need to encrypt?
My concern is not so much a person getting ftp access (very limited in the situation I am looking at), but rather someone hacking via the web, etc - and getting access to it.
Generally, Miva Merchant is run under an Empresa running as the user associated with the site, and PHP apps often are run the same way, so it's important the merchdb.dat be encrypted because a hacked php app could potentially read into the miva data directory and/or that file if there aren't other restrictions in place on where the php app can get to.
Leave a comment:
-
Anything that can be uniquely identified or triangulated to a person, so an email for sure, as well as Name, Address Phone number among other things. Err on the side of caution if you're unsure.
Leave a comment:
-
This brings up an interesting aspect. What is considered PII? Is it simply credit card info, or is the email of a customer? What about the name and physical address of where an order is going, or billed? For the record - I am not looking at storing this info, I am just curious as to what should be encrypted both in the mivadata directory, and elsewhere. We all understand that credit card data must be, and SS#, and the like must be. But what about a file in this directory (or a field in a database) that lists a name and address? Is my Contact List on my local MAC encrypted? Should it be? If I stored that file in the mivadatadir, should it be? If I put that info in a database for later use on another computer - should it be? At what point is PII no really Personally Identifiable Info?
Leave a comment:
-
It all depends on what data you're talking about storing in there. Anything that's personally identifiable data (such as customer order data) should be encrypted.
Leave a comment:
-
Thanks Jonathon, Hostasaurus. In my case, no stores involved - strictly MivaScript. I am assuming the PA-DSS would encrypt because anyone with FTP access could get that file. But if FTP access is limited, then no real need to encrypt?
My concern is not so much a person getting ftp access (very limited in the situation I am looking at), but rather someone hacking via the web, etc - and getting access to it.
Leave a comment:
-
The proper security setup should be Empresa running as CGI or FastCGI, under suexec or equivalent so it is executing as the user associated with the website in question. Then, mivadata, and all directories contained within it, should be permissions 700, and all files contained within it should be 600. Typically the only thing of any real importance in it will be the merchdb.dat file which contains the database credentials the store uses to talk to its database. Those should be encrypted, but if they're not, the store's PA-DSS wizard can be run which will re-encrypt them. Of slightly lesser importance, but not something to be overlooked, would be any leftover export or import files left under the mivadata/Merchant5/s01/export/ or upload directories from past imports or exports, which may contain customer data (but not payment data unless something very bad was done via third party module). Those should be looked for and cleaned periodically.
Leave a comment:
-
Very. Apache (and the public) cannot reach it publicly; only Empresa can. Its very handy that way and one of the stellar elements of Miva Empresa which keeps me coming back year after year. Only reason (for me) to encrypt anything in the /mivadata folder would be to protect it from FTP access - IF the ftp server app allows access to that folder.
Leave a comment:
-
How secure is the mivadata directory?
Just curious - how safe is the mivadata directory considered?
The one I am asking about is located outside the html directory, so not accesible via the web.
But - is it considered secure? What is safe to be stored there? Should everything be encrypted?Tags: None
Leave a comment: