Re: Further Detail

You create the keys initially using the Order Encryption menu in the orders area.

Re: Further Detail

Do I need to create the keys before I install the wizard update or can I do it later? Also, just to be clear, my primary database is MySql not MivaSql.

Re: PR7 Module-kmwizard-1 has been released

You can do it in either order; the wizard can switch where the keys will be stored if they dont exist, or it will move existing ones.

Re: PR7 Module-kmwizard-1 has been released

We just ran the key migration wizard and received the following error:

*****

Miva Merchant has encountered a fatal error and is unable to continue. The following information may assist you in determining the cause of the error:

Error Code: MER-WIZ-KMW-00003
Description: Database type 'MivaSQL' is unsupported or not configured Other Information:

*****

We have a primary MySQL database and have been unencrypted until now.

Prior to running the wizard we created a new encryption key to fix those errors on the PA-DSS checklist.

We also cannot find how to encrypt the database password or the user passwords.

Any help?

Re: PR7 Module-kmwizard-1 has been released

The error message indicates your site was perhaps set up for mySQL, but not MivaSQL (aka: DBF database format). Look through your mivavm.conf file and see if you have that defined, and if the library is indeed in the correct path:

<DATABASE-LIB METHOD="mivasql" LIBRARY="/server_path/mivasql.so">

Re: PR7 Module-kmwizard-1 has been released

Thanks for the information.

However, I cannot find a mivavm.conf file on our site. Perhaps it is configured by the host?

In any case, I did find a miva.conf file that doesn't show mivasql as ever being installed, it was renamed during the wizard run:

****

AddType application/x-httpd-Miva .mv
AddType application/x-miva-compiled .mvc
Action application/x-miva-compiled /cgi-bin/mivavm
Action application/x-httpd-Miva /cgi-bin/miva
SetEnvIf Request_URI admin\.mvc HTTPS=on
SetEnvIf Request_URI admin\.mv HTTPS=on
SetEnvIf Request_URI merchant\.mvc HTTPS=on
SetEnvIf Request_URI merchant\.mv HTTPS=on
# BEGIN MIVA 5 INSTALL
SetEnv MvCONFIG_DIR_MIVA /var/www/html
SetEnv MvCONFIG_DIR_DATA /usr/home/electricmotorsite/htsdata
SetEnv MvCONFIG_DIR_BUILTIN /usr/local/miva/lib/builtins
SetEnv MvCONFIG_DIR_CA /usr/local/miva/certs
SetEnv MvCONFIG_SSL_OPENSSL /lib/libssl.so
SetEnv MvCONFIG_SSL_CRYPTO /lib/libcrypto.so
SetEnv MvCONFIG_DATABASE_MySQL /usr/local/miva/lib/databases/mysql.so
SetEnv MvCONFIG_COMMERCE_CyberCash /usr/local/lib/mivalibs/cybercash.so
SetEnv MvCONFIG_COMMERCE_AuthorizeNet /usr/local/lib/mivalibs/authnet.so
SetEnv MvCONFIG_COMMERCE_LinkPoint /usr/local/lib/mivalibs/linkpoint.so
SetEnv MvCONFIG_COMMERCE_UPSRSS /usr/local/lib/mivalibs/upsrss.so
SetEnv MvCONFIG_COMMERCE_ICS2 /usr/local/lib/mivalibs/ics2.so
# END MIVA 5 INSTALL

****

Where would the mivavm.conf file be located??

Thank you,

Tom McLean

Re: PR7 Module-kmwizard-1 has been released

This Wizard will encrypt the database password automatically and simply update the passwords to encrypt them.

Re: PR7 Module-kmwizard-1 has been released

Rick,

The wizard crapped out per my earlier message.

Our store was set up initially as MySql only, it appears MivaSql is not configured.

What do I need to do to resolve this?

Thank you,

Tom McLean

Re: PR7 Module-kmwizard-1 has been released

Contact your host.

Re: PR7 Module-kmwizard-1 has been released

Tom,

After researching your host I'm going to strongly suggest moving hosts, you'll never get proper Miva Merchant support with them.

Re: PR7 Module-kmwizard-1 has been released

Rick,

I just received your message regarding our host, and I am coming to that same conclusion, although it doesn't seem right that we should have to go through all of the effort and cost to do so just because of these new 'orders' from the banks. We don't store any payment data on our site but the general site and database configuration requirements appear to be the stumbling blocks.

We will look for a new host, however our concern is how to confirm the hosts that ARE compliant. Is there any sort of list showing who has been verified to be compliant?

As for some other issues, there is very little documentation for the new features in the PR7 release as far as we can find. Any time we look for 'help' it comes up with the original 5.5 documentation with no mention of the new features and how they work.

It would be very good idea for Miva to release a revised set of documentation that covers all of the new features. We noticed some of the information in threads on the forums, but there needs to be a central location for up to date documentation.

Regards,

Tom McLean

Re: PR7 Module-kmwizard-1 has been released

Tom,

I can shed some light on why the struggle, but first id need to know what payment gateway do you use?

Have you watched our videos at vimeo.com/mivamerchant?

Finally any of the Premier Hosts can configure a compliant setup.

Re: PR7 Module-kmwizard-1 has been released

Rick,

We use Paypal website payments pro, which in their terms of service require us to be PCI-DSS compliant. Have used them since our Miva site went live in 2006 without any problems.

I believe Westhost was a premiere host when we went with them back in 2004, they at least were fully in bed with Miva at the time. They have dropped Miva as their new 4.0 platform apparently doesn't work well with Miva.

We haven't had any issues with them regarding Miva or anything else (I guess until now), and it seems to me that the issues for site configuration compliancy will apply to any other shopping carts they host so it shouldn't be a big deal even with Miva.

Our immediate need is to solve the problems that are under our control and then address the ones we can't control. We hoped to use the 'key migration wizard' to fix the private keys database but apparently don't have MivaSQL configured so it won't work.

Shouldn't at least for the short term we try to get the MivaSQL with Westhost configured to solve this immediate problem?

Regards,

Tom McLean

Re: PR7 Module-kmwizard-1 has been released

Tom,

Everyone with a Merchant Account must be PCI-DSS compliant as per the terms of service, however with Website Payments Pro, all processing and connection to the credit card number happens off site and you don't have to get our PA-DSS checklist all green. I would however recommend completing the task as it will generally provide you with a greater level of security than not doing it.

The PA-DSS Checklist is only a tool for assisting in general guidance about obvious red flags with someones setup.

For people using:

Credit Card with Simple Validation
Innovative Gateway Solutions
CHASE Paymentech Orbital
Authorize.net
PayFlow Pro
First Data Global Gateway

Going through the Product Implementation Guide and getting all green lights is a part of achieving PCI-DSS compliance.

For customers using:

PayPal Website Payments Standard
PayPal Website Payments Pro
PayFlow Link
Checkout by Amazon
Google Checkout
Check
COD

There is no card holder data ever available on the server and it is considered "outsourced" to the provider (or in the cases of Check and COD non existent) and therefore our product is not in the scope of your PCI-DSS Compliance.

However things to consider, let's say you get a chargeback while using PayPal Website Payments Pro (since I don't have one of those specific accounts, I'm not sure what you'd receive) normally you'd receive a letter in the mail with a copy of the credit card number in dispute. NOW YOU ARE STORING CREDIT CARD DATA WHETHER YOU LIKE IT OR NOT and still fall under an SAQ-D for PCI-DSS Compliance instead of the SAQ-A for fully outsourced merchants.

As for WestHost, Miva Merchant can work fine on their platform if they'd choose to support it. They made a business decision to stop supporting us when we repaired our business model a couple years back and have essentially turned their back on our mutual customers.

It's up to you if you'd like to stick it out with them, however as standards of operations in ecommerce continue to become more stringent with both PCI rules as well as PII (Personally Identifiable Information) Laws popping up around the country, my suspicion is the little cost you'd incur by moving (if you're on a "normal" plan, probably an additional $20 per month, with no downtown, other costs or hassles to move is what it would take to move to a high quality Premier host).

Finally in 2006 prior to our purchasing of the company the only thing it took to be on the Premier list was a checkbook. Today it's by invitation only and something that's being consistently monitored and in some cases trimmed. So for someone to have been a Premier back then was meaningless, today it means something.

Re: PR7 Module-kmwizard-1 has been released

Try adding:

SetEnv MvCONFIG_DATABASE_MivaSQL /usr/local/miva/lib/databases/mivasql.so

to the config and restarting the web server and see if that works.