Just starting down the path of PCI, so when I know more I will let the list
know. I was more thinking of getting compliance by moving the storage of credit
cards out of the database and into the payment processors servers (secure
storage based on tokens)
On 01/04/2009 03:35, "BJ Freeman" <bjf...@free-man.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am wondering how a PCI audit might view having certificates and login
info in a database.
I know that securing the database is one option. there has been a effort
to beef up security through ofbiz.
Just something to consider.
I have no info one way or the other.
Marco Risaliti sent the following on 3/31/2009 10:17 AM:
> Anyway I made I mistake in the above example because Payflow Pro is a
> credit card payment gateway and so it's not necessary a new payment
> method type (EXT_PAYFLOW).
> So the corrected example is the following:
>
> <entity-engine-xml>
> <EnumerationType enumTypeId="PGW_CODE" hasTable="N"
> description="Payment Gateway"/>
>
> <Enumeration enumId="PGW_PAYFLOWPRO" enumTypeId="PGW_CODE"
> enumCode="PAYFLOWPRO" sequenceId="1" description="Payflow Pro"/>
>
> <PaymentGatewayConfig paymentGatewayConfigId="PAYFLOW_TEST"
> paymentGatewayTypeId="PGW_PAYFLOWPRO" description="PayFlow for test"/>
> <PaymentGatewayConfig paymentGatewayConfigId="PAYFLOW_PROD"
> paymentGatewayTypeId="PGW_PAYFLOWPRO" description="PayFlow for
> production"/>
>
> <PayflowPro payflowProId="PAYFLOW_TEST"
> paymentGatewayConfigId="PAYFLOW_TEST"
> certsPath="${sys:getProperty('ofbiz.home')}/applications/accounting/pfcerts"
> hostAddress="test-payflow.verisign.com" hostPort="443"
> vendor="TestVendor" userId="TestUserID" pwd="TestPassword"
> partner="TestPartner" checkAvs="Y" checkCvv2="Y" preAuth="Y"
> enableTransmit="Y"/>
> <PayflowPro payflowProId="PAYFLOW_PROD"
> paymentGatewayConfigId="PAYFLOW_PROD"
> certsPath="${sys:getProperty('ofbiz.home')}/applications/accounting/pfcerts"
> hostAddress="payflow.verisign.com" hostPort="443" vendor="ProdVendor"
> userId="ProdUserID" pwd="ProdPassword" partner="ProdPartner"
> checkAvs="Y" checkCvv2="Y" preAuth="Y" enableTransmit="Y"/>
>
> <ProductStorePaymentSetting productStoreId="9000"
> paymentMethodTypeId="CREDIT_CARD"
> paymentServiceTypeEnumId="PRDS_PAY_AUTH"
> paymentService="payflowCCProcessor"
> paymentGatewayConfigId="PAYFLOW_TEST" paymentPropertiesPath=""
> applyToAllProducts=""/>
> </entity-engine-xml>
>
> Thanks
> Marco
>
>
> Il giorno 31/mar/09, alle ore 15:12, mrisal...@libero.it ha scritto:
>
>> Hi David,
>>
>> thanks a lot for your great analysis help on this, I have now
>> understood what you mean after trying those new entities.
>> Also I prefer now to implement those specific entities instead of
>> generic ones.
>>
>> If I understood correctly it could be something similar to the
>> following examples:
>>
>> <entity entity-name="PaymentGatewayConfig"
>> package-name="org.ofbiz.accounting.payment"
>> title="Payment Gateway Configuration">
>> <field name="paymentGatewayConfigId" type="id-ne"></field>
>> <field name="paymentGatewayTypeId" type="id-ne"></field>
>> <field name="description" type="very-long"></field>
>> <prim-key field="paymentGatewayConfigId"/>
>> <relation type="one" fk-name="PGC_ENUM" rel-entity-name="Enumeration">
>> <key-map field-name="paymentGatewayTypeId" rel-field-name="enumId"/>
>> </relation>
>> </entity>
>> <entity entity-name="PayflowPro"
>> package-name="org.ofbiz.accounting.payment"
>> title="Payflow Pro Payment Gateway Configuration">
>> <field name="payflowProId" type="id-ne"></field>
>> <field name="paymentGatewayConfigId" type="id-ne"></field>
>> <field name="certsPath" type="value"><description>Path the the
>> VeriSign Certificate</description></field>
>> <field name="hostAddress" type="value"><description>Address of the
>> payment processor</description></field>
>> <field name="hostPort" type="numeric"><description>Port of the
>> payment processor</description></field>
>> <field name="vendor" type="short-varchar"><description>Vendor of
>> account information</description></field>
>> <field name="userId" type="short-varchar"><description>PayFlow
>> UserID of account information</description></field>
>> <field name="pwd" type="short-varchar"><description>PayFlow
>> Password of account information</description></field>
>> <field name="partner" type="short-varchar"><description>PayFlow
>> Partner of account information</description></field>
>> <field name="checkAvs" type="indicator"><description>Use Address
>> Verification</description></field>
>> <field name="checkCvv2" type="indicator"><description>Require CVV2
>> Verification</description></field>
>> <field name="preAuth" type="indicator"><description>Pre-Authorize
>> Payments (if set to N will auto-capture)</description></field>
>> <field name="enableTransmit" type="indicator"><description>Set to N
>> to not transmit anything</description></field>
>> <prim-key field="payflowProId"/>
>> <relation type="one" fk-name="PFP_PGC"
>> rel-entity-name="PaymentGatewayConfig">
>> <key-map field-name="paymentGatewayConfigId"/>
>> </relation>
>> </entity>
>> <entity entity-name="ProductStorePaymentSetting"
>> package-name="org.ofbiz.product.store"
>> title="Product Store Payment Settings Entity">
>> <field name="productStoreId" type="id-ne"></field>
>> <field name="paymentMethodTypeId" type="id-ne"></field>
>> <field name="paymentServiceTypeEnumId" type="id-ne"></field>
>> <field name="paymentService" type="value"></field>
>> <field name="paymentGatewayConfigId" type="id-ne"></field>
>> <field name="paymentPropertiesPath" type="value"></field>
>> <field name="applyToAllProducts" type="indicator"></field>
>> <prim-key field="productStoreId"/>
>> <prim-key field="paymentMethodTypeId"/>
>> <prim-key field="paymentServiceTypeEnumId"/>
>> <relation type="one" fk-name="PRDS_PS_PRDS"
>> rel-entity-name="ProductStore">
>> <key-map field-name="productStoreId"/>
>> </relation>
>> <relation type="one" fk-name="PRDS_PS_PMNTTP"
>> rel-entity-name="PaymentMethodType">
>> <key-map field-name="paymentMethodTypeId"/>
>> </relation>
>> <relation type="one" fk-name="PRDS_PS_ENUM"
>> rel-entity-name="Enumeration">
>> <key-map field-name="paymentServiceTypeEnumId"
>> rel-field-name="enumId"/>
>> </relation>
>> <relation type="one" fk-name="PRDS_PS_PGC"
>> rel-entity-name="PaymentGatewayConfig">
>> <key-map field-name="paymentGatewayConfigId"/>
>> </relation>
>> </entity>
>>
>> This is an example of Payflow Pro Payment Gateway configuration:
>>
>> <entity-engine-xml>
>> <PaymentMethodType description="Payflow Pro"
>> paymentMethodTypeId="EXT_PAYFLOW"/>
>> <EnumerationType enumTypeId="PGW_CODE" hasTable="N"
>> description="Payment Gateway"/>
>>
>> <Enumeration enumId="PGW_PAYFLOWPRO" enumTypeId="PGW_CODE"
>> enumCode="PAYFLOWPRO" sequenceId="1" description="Payflow Pro"/>
>>
>> <PaymentGatewayConfig paymentGatewayConfigId="PAYFLOW_TEST"
>> paymentGatewayTypeId="PGW_PAYFLOWPRO" description="PayFlow for test"/>
>> <PaymentGatewayConfig paymentGatewayConfigId="PAYFLOW_PROD"
>> paymentGatewayTypeId="PGW_PAYFLOWPRO" description="PayFlow for
>> production"/>
>>
>> <PayflowPro payflowProId="PAYFLOW_TEST"
>> paymentGatewayConfigId="PAYFLOW_TEST"
>> certsPath="${sys:getProperty('ofbiz.home')}/applications/accounting/pfcerts"
>> hostAddress="test-payflow.verisign.com" hostPort="443"
>> vendor="TestVendor" userId="TestUserID" pwd="TestPassword"
>> partner="TestPartner" checkAvs="Y" checkCvv2="Y" preAuth="Y"
>> enableTransmit="Y"/>
>> <PayflowPro payflowProId="PAYFLOW_PROD"
>> paymentGatewayConfigId="PAYFLOW_PROD"
>> certsPath="${sys:getProperty('ofbiz.home')}/applications/accounting/pfcerts"
>> hostAddress="payflow.verisign.com" hostPort="443" vendor="ProdVendor"
>> userId="ProdUserID" pwd="ProdPassword" partner="ProdPartner"
>> checkAvs="Y" checkCvv2="Y" preAuth="Y" enableTransmit="Y"/>
>>
>> <ProductStorePaymentSetting productStoreId="9000"
>> paymentMethodTypeId="EXT_PAYFLOW"
>> paymentServiceTypeEnumId="PRDS_PAY_EXTERNAL" paymentService=""
>> paymentGatewayConfigId="PAYFLOW_TEST" paymentPropertiesPath=""
>> applyToAllProducts=""/>
>> </entity-engine-xml>
>>
>> In this way we could handle also different configuration per database
>> (test/production/...) and product stores.
>>
>> Idea and suggestions are welcome.
>>
>> Thanks a lot
>> Marco
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>
>>> This has been discussed a few times and I think is on a few of the
>>> lists around were people have brainstormed on things they'd like to
>>> add/change/etc. I'm personally very in favor of it and I do believe it
>>> has been needed for a long time.
>>>
>>> As for the design, I'm very against the concept of super-generic
>>> entities like this. They cause all sorts of problems, and I wish now
>>> that I had never even introduced the extensibility stuff (attribute
>>> tables and such) as they tend to make things messy and difficult to
>>> follow and maintain... if/when they are used.
>>>
>>> It won't be too difficult to add fields and entities for each property
>>> in the files. With actual entities and fields generic maintenance can
>>> be done through the Entity Data Maintenance pages, and for more user
>>> friendly stuff we'd want a less generic UI anyway, and it's a lot
>>> easier to implement that specific entities instead of generic ones.
>>>
>>> For example, we would create a PaymentGatewayConfig entity and
>>> entities that extend it where needed for Cybersource, PayflowPro,
>>> PayPal, etc, etc. The main change is that on the
>>> ProductStorePaymentSetting entity instead of using the
>>> "paymentPropertiesPath" field we would add a paymentGatewayConfigId
>>> that points to the corresponding PaymentGatewayConfig entity. That
>>> entity would have a type field, with different values for different
>>> payment gateways (ie CyberSource, PayflowPro, etc).
>>>
>>> Each property in the payment.properties file would be mapped to a
>>> field on one of these entities.
>>>
>>> Does that make sense?
>>>
>>> -David
>>>
>>>
>>>
>>> On Mar 30, 2009, at 4:14 AM, mrisal...@libero.it wrote:
>>>
>>>> Hi to all,
>>>>
>>>> what did you think if we move the payment.properties to an entity ?
>>>> I tried to having a more general entity but I have seen that every
>>>> single payment gateway having different parameters and so I tried
>>>> with the following example:
>>>>
>>>> <EnumerationType description="Payment Gateway Code"
>>>> enumTypeId="PGW_CODE" hasTable="N" parentTypeId=""/>
>>>> <Enumeration description="Gift Certificate"
>>>> enumCode="GIFTCERTIFICATE" enumId="PGW_GIFTCERTIFICATE"
>>>> sequenceId="01" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="CyberSource" enumCode="CYBERSOURCE"
>>>> enumId="PGW_CYBERSOURCE" sequenceId="02" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="ClearCommerce" enumCode="CLEARCOMMERCE"
>>>> enumId="PGW_CLEARCOMMERCE" sequenceId="03" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="ValueLink" enumCode="VALUELINK"
>>>> enumId="PGW_VALUELINK" sequenceId="04" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="PayFlow Pro" enumCode="PAYFLOW"
>>>> enumId="PGW_PAYFLOW" sequenceId="05" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="WorldPay" enumCode="WORLDPAY"
>>>> enumId="PGW_WORLDPAY" sequenceId="06" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="PayPal" enumCode="PAYPAL"
>>>> enumId="PGW_PAYPAL" sequenceId="07" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="PCCharge" enumCode="PCCHARGE"
>>>> enumId="PGW_PCCHARGE" sequenceId="08" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="RiTA" enumCode="RITA" enumId="PGW_RITA"
>>>> sequenceId="09" enumTypeId="PGW_CODE"/>
>>>> <Enumeration description="Authorize.Net" enumCode="AUTHORIZEDOTNET"
>>>> enumId="PGW_AUTHORIZEDOTNET" sequenceId="10" enumTypeId="PGW_CODE"/>
>>>>
>>>> <!-- Product store gateway setting -->
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="certsPath"
>>>> attributeValue="${sys:getProperty('ofbiz.home')}/applications/
>>>> accounting/pfcerts" activeAttribute="Y" comment="Path the the
>>>> VeriSign Certificate"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="hostAddress"
>>>> attributeValue="test-payflow.verisign.com" activeAttribute="Y"
>>>> comment="Address of the payment processor"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="hostPort"
>>>> attributeValue="443" activeAttribute="Y" comment="Port of the
>>>> payment processor"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="vendor"
>>>> attributeValue="[Vendor]" activeAttribute="Y" comment="Payflow
>>>> account information (Vendor)"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="user"
>>>> attributeValue="[PayFlow UserID]" activeAttribute="Y"
>>>> comment="Payflow account information (PayFlow UserID)"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="pwd"
>>>> attributeValue="[PayFlow Password]" activeAttribute="Y"
>>>> comment="Payflow account information (PayFlow Password)"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="partner"
>>>> attributeValue="[PayFlow Partner]" activeAttribute="Y"
>>>> comment="Payflow account information (PayFlow Partner)"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="checkAvs"
>>>> attributeValue="Y" activeAttribute="Y" comment="Use Address
>>>> Verification"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="checkCvv2"
>>>> attributeValue="Y" activeAttribute="Y" comment="Require CVV2
>>>> Verification"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="preAuth"
>>>> attributeValue="Y" activeAttribute="Y" comment="Pre-Authorize
>>>> Payments (if set to N will auto-capture)"/>
>>>> <ProductStoreGatewaySetting productStoreId="9000"
>>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="enableTransmit"
>>>> attributeValue="true" activeAttribute="Y" comment="Set to false to
>>>> not transmit anything "/>
>>>>
>>>>
>>>> Once we have it into the DB it could be extended in a custom
>>>> components (hot-deploy) and it could be cashed and it could be no
>>>> more necessary to restart OFBiz once you have to change a value into
>>>> this property file.
>>>> I have also moved those parameters at product store level so you
>>>> could have different configuration by product store.
>>>>
>>>> It's only an idea and it could be introduced also after that new
>>>> OFBiz release has been created.
>>>>
>>>> Any ideas and suggestions are welcomed because if it's working
>>>> correctly for everyone it could be extended also to others property
>>>> files (shipment.properties, catalog.properties, ...).
>>>>
>>>> Thanks in advance
>>>> Marco
>>>>
>>>
>>>
>>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJ0nCCrP3NbaWWqE4RAoszAJ9lvTNyKRAi2pSI38S9Av9fK9WYswCePSQZ
UkRVxt/EnPkvg/+pJJQA1Z8=
=U4ce
-----END PGP SIGNATURE-----
