Re: PR6 Encryption and PCI/PA-DSS

I haven't forgotten this post. I moved it to its own thread and will work with Jon to address it on Monday.

Re: PR6 Encryption and PCI/PA-DSS

Great Rick. Just to be clear, it's two separate issues:

1.) Availability of payment data in fulfillment module.
2.) Access to database credentials now encrypted in merchdb.dat

Thanks,

Per

Re: PR6 Encryption and PCI/PA-DSS

Any new on this?

Best,

Per

Re: PR6 Encryption and PCI/PA-DSS

Rick,
You moved this to a new thread. Can you post the link to that thread here?

Re: PR6 Encryption and PCI/PA-DSS

http://extranet.mivamerchant.com/for...825#post103825

Re: PR6 Encryption and PCI/PA-DSS

Per,

So here's the answers you've been waiting for:

1. On an upgrade to PR6 we don't add the encryption, so you can upgrade without breaking anything.

2. If you needed to set this up on a brand new installation of PR6, after running setup you could manually edit merchdb.dat and replace the encrypted password with an unecrypted password.

Both of the above would violate our PA-DSS Installation Procedures and Guide that will be coming out when our certification is final, but that is a choice you're welcome to make. If you're current merchant provider is happy with your current proof of PCI compliance you can opt to skip setting up the software as we recommend for PA-DSS compliance.

Re: PR6 Encryption and PCI/PA-DSS

is that what the SHA1 indicates.. whether the store should decrypt or not?

So if I ever update from the admin... then I will need to manually edit the merchdb.dat again each time?

I would prefer to be able to access the decription function, it is available on the command line of an apache server via an exec statement to empressa?

Re: PR6 Encryption and PCI/PA-DSS

No not at all. Miva Merechant does not require the database password to be encrypted. PA-DSS Certification requires it so we've made it the default behavior.

You can just delete the encrypted password, use the plain text password and all will work going forward.