Just starting down the path of PCI, so when I know more I will let the list know. I was more thinking of getting compliance by moving the storage of credit cards out of the database and into the payment processors servers (secure storage based on tokens)
On 01/04/2009 03:35, "BJ Freeman" <bjf...@free-man.net> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am wondering how a PCI audit might view having certificates and login info in a database. I know that securing the database is one option. there has been a effort to beef up security through ofbiz. Just something to consider. I have no info one way or the other. Marco Risaliti sent the following on 3/31/2009 10:17 AM: > Anyway I made I mistake in the above example because Payflow Pro is a > credit card payment gateway and so it's not necessary a new payment > method type (EXT_PAYFLOW). > So the corrected example is the following: > > <entity-engine-xml> > <EnumerationType enumTypeId="PGW_CODE" hasTable="N" > description="Payment Gateway"/> > > <Enumeration enumId="PGW_PAYFLOWPRO" enumTypeId="PGW_CODE" > enumCode="PAYFLOWPRO" sequenceId="1" description="Payflow Pro"/> > > <PaymentGatewayConfig paymentGatewayConfigId="PAYFLOW_TEST" > paymentGatewayTypeId="PGW_PAYFLOWPRO" description="PayFlow for test"/> > <PaymentGatewayConfig paymentGatewayConfigId="PAYFLOW_PROD" > paymentGatewayTypeId="PGW_PAYFLOWPRO" description="PayFlow for > production"/> > > <PayflowPro payflowProId="PAYFLOW_TEST" > paymentGatewayConfigId="PAYFLOW_TEST" > certsPath="${sys:getProperty('ofbiz.home')}/applications/accounting/pfcerts" > hostAddress="test-payflow.verisign.com" hostPort="443" > vendor="TestVendor" userId="TestUserID" pwd="TestPassword" > partner="TestPartner" checkAvs="Y" checkCvv2="Y" preAuth="Y" > enableTransmit="Y"/> > <PayflowPro payflowProId="PAYFLOW_PROD" > paymentGatewayConfigId="PAYFLOW_PROD" > certsPath="${sys:getProperty('ofbiz.home')}/applications/accounting/pfcerts" > hostAddress="payflow.verisign.com" hostPort="443" vendor="ProdVendor" > userId="ProdUserID" pwd="ProdPassword" partner="ProdPartner" > checkAvs="Y" checkCvv2="Y" preAuth="Y" enableTransmit="Y"/> > > <ProductStorePaymentSetting productStoreId="9000" > paymentMethodTypeId="CREDIT_CARD" > paymentServiceTypeEnumId="PRDS_PAY_AUTH" > paymentService="payflowCCProcessor" > paymentGatewayConfigId="PAYFLOW_TEST" paymentPropertiesPath="" > applyToAllProducts=""/> > </entity-engine-xml> > > Thanks > Marco > > > Il giorno 31/mar/09, alle ore 15:12, mrisal...@libero.it ha scritto: > >> Hi David, >> >> thanks a lot for your great analysis help on this, I have now >> understood what you mean after trying those new entities. >> Also I prefer now to implement those specific entities instead of >> generic ones. >> >> If I understood correctly it could be something similar to the >> following examples: >> >> <entity entity-name="PaymentGatewayConfig" >> package-name="org.ofbiz.accounting.payment" >> title="Payment Gateway Configuration"> >> <field name="paymentGatewayConfigId" type="id-ne"></field> >> <field name="paymentGatewayTypeId" type="id-ne"></field> >> <field name="description" type="very-long"></field> >> <prim-key field="paymentGatewayConfigId"/> >> <relation type="one" fk-name="PGC_ENUM" rel-entity-name="Enumeration"> >> <key-map field-name="paymentGatewayTypeId" rel-field-name="enumId"/> >> </relation> >> </entity> >> <entity entity-name="PayflowPro" >> package-name="org.ofbiz.accounting.payment" >> title="Payflow Pro Payment Gateway Configuration"> >> <field name="payflowProId" type="id-ne"></field> >> <field name="paymentGatewayConfigId" type="id-ne"></field> >> <field name="certsPath" type="value"><description>Path the the >> VeriSign Certificate</description></field> >> <field name="hostAddress" type="value"><description>Address of the >> payment processor</description></field> >> <field name="hostPort" type="numeric"><description>Port of the >> payment processor</description></field> >> <field name="vendor" type="short-varchar"><description>Vendor of >> account information</description></field> >> <field name="userId" type="short-varchar"><description>PayFlow >> UserID of account information</description></field> >> <field name="pwd" type="short-varchar"><description>PayFlow >> Password of account information</description></field> >> <field name="partner" type="short-varchar"><description>PayFlow >> Partner of account information</description></field> >> <field name="checkAvs" type="indicator"><description>Use Address >> Verification</description></field> >> <field name="checkCvv2" type="indicator"><description>Require CVV2 >> Verification</description></field> >> <field name="preAuth" type="indicator"><description>Pre-Authorize >> Payments (if set to N will auto-capture)</description></field> >> <field name="enableTransmit" type="indicator"><description>Set to N >> to not transmit anything</description></field> >> <prim-key field="payflowProId"/> >> <relation type="one" fk-name="PFP_PGC" >> rel-entity-name="PaymentGatewayConfig"> >> <key-map field-name="paymentGatewayConfigId"/> >> </relation> >> </entity> >> <entity entity-name="ProductStorePaymentSetting" >> package-name="org.ofbiz.product.store" >> title="Product Store Payment Settings Entity"> >> <field name="productStoreId" type="id-ne"></field> >> <field name="paymentMethodTypeId" type="id-ne"></field> >> <field name="paymentServiceTypeEnumId" type="id-ne"></field> >> <field name="paymentService" type="value"></field> >> <field name="paymentGatewayConfigId" type="id-ne"></field> >> <field name="paymentPropertiesPath" type="value"></field> >> <field name="applyToAllProducts" type="indicator"></field> >> <prim-key field="productStoreId"/> >> <prim-key field="paymentMethodTypeId"/> >> <prim-key field="paymentServiceTypeEnumId"/> >> <relation type="one" fk-name="PRDS_PS_PRDS" >> rel-entity-name="ProductStore"> >> <key-map field-name="productStoreId"/> >> </relation> >> <relation type="one" fk-name="PRDS_PS_PMNTTP" >> rel-entity-name="PaymentMethodType"> >> <key-map field-name="paymentMethodTypeId"/> >> </relation> >> <relation type="one" fk-name="PRDS_PS_ENUM" >> rel-entity-name="Enumeration"> >> <key-map field-name="paymentServiceTypeEnumId" >> rel-field-name="enumId"/> >> </relation> >> <relation type="one" fk-name="PRDS_PS_PGC" >> rel-entity-name="PaymentGatewayConfig"> >> <key-map field-name="paymentGatewayConfigId"/> >> </relation> >> </entity> >> >> This is an example of Payflow Pro Payment Gateway configuration: >> >> <entity-engine-xml> >> <PaymentMethodType description="Payflow Pro" >> paymentMethodTypeId="EXT_PAYFLOW"/> >> <EnumerationType enumTypeId="PGW_CODE" hasTable="N" >> description="Payment Gateway"/> >> >> <Enumeration enumId="PGW_PAYFLOWPRO" enumTypeId="PGW_CODE" >> enumCode="PAYFLOWPRO" sequenceId="1" description="Payflow Pro"/> >> >> <PaymentGatewayConfig paymentGatewayConfigId="PAYFLOW_TEST" >> paymentGatewayTypeId="PGW_PAYFLOWPRO" description="PayFlow for test"/> >> <PaymentGatewayConfig paymentGatewayConfigId="PAYFLOW_PROD" >> paymentGatewayTypeId="PGW_PAYFLOWPRO" description="PayFlow for >> production"/> >> >> <PayflowPro payflowProId="PAYFLOW_TEST" >> paymentGatewayConfigId="PAYFLOW_TEST" >> certsPath="${sys:getProperty('ofbiz.home')}/applications/accounting/pfcerts" >> hostAddress="test-payflow.verisign.com" hostPort="443" >> vendor="TestVendor" userId="TestUserID" pwd="TestPassword" >> partner="TestPartner" checkAvs="Y" checkCvv2="Y" preAuth="Y" >> enableTransmit="Y"/> >> <PayflowPro payflowProId="PAYFLOW_PROD" >> paymentGatewayConfigId="PAYFLOW_PROD" >> certsPath="${sys:getProperty('ofbiz.home')}/applications/accounting/pfcerts" >> hostAddress="payflow.verisign.com" hostPort="443" vendor="ProdVendor" >> userId="ProdUserID" pwd="ProdPassword" partner="ProdPartner" >> checkAvs="Y" checkCvv2="Y" preAuth="Y" enableTransmit="Y"/> >> >> <ProductStorePaymentSetting productStoreId="9000" >> paymentMethodTypeId="EXT_PAYFLOW" >> paymentServiceTypeEnumId="PRDS_PAY_EXTERNAL" paymentService="" >> paymentGatewayConfigId="PAYFLOW_TEST" paymentPropertiesPath="" >> applyToAllProducts=""/> >> </entity-engine-xml> >> >> In this way we could handle also different configuration per database >> (test/production/...) and product stores. >> >> Idea and suggestions are welcome. >> >> Thanks a lot >> Marco >> >> >> >> >> >> >> >> >> >>> >>> This has been discussed a few times and I think is on a few of the >>> lists around were people have brainstormed on things they'd like to >>> add/change/etc. I'm personally very in favor of it and I do believe it >>> has been needed for a long time. >>> >>> As for the design, I'm very against the concept of super-generic >>> entities like this. They cause all sorts of problems, and I wish now >>> that I had never even introduced the extensibility stuff (attribute >>> tables and such) as they tend to make things messy and difficult to >>> follow and maintain... if/when they are used. >>> >>> It won't be too difficult to add fields and entities for each property >>> in the files. With actual entities and fields generic maintenance can >>> be done through the Entity Data Maintenance pages, and for more user >>> friendly stuff we'd want a less generic UI anyway, and it's a lot >>> easier to implement that specific entities instead of generic ones. >>> >>> For example, we would create a PaymentGatewayConfig entity and >>> entities that extend it where needed for Cybersource, PayflowPro, >>> PayPal, etc, etc. The main change is that on the >>> ProductStorePaymentSetting entity instead of using the >>> "paymentPropertiesPath" field we would add a paymentGatewayConfigId >>> that points to the corresponding PaymentGatewayConfig entity. That >>> entity would have a type field, with different values for different >>> payment gateways (ie CyberSource, PayflowPro, etc). >>> >>> Each property in the payment.properties file would be mapped to a >>> field on one of these entities. >>> >>> Does that make sense? >>> >>> -David >>> >>> >>> >>> On Mar 30, 2009, at 4:14 AM, mrisal...@libero.it wrote: >>> >>>> Hi to all, >>>> >>>> what did you think if we move the payment.properties to an entity ? >>>> I tried to having a more general entity but I have seen that every >>>> single payment gateway having different parameters and so I tried >>>> with the following example: >>>> >>>> <EnumerationType description="Payment Gateway Code" >>>> enumTypeId="PGW_CODE" hasTable="N" parentTypeId=""/> >>>> <Enumeration description="Gift Certificate" >>>> enumCode="GIFTCERTIFICATE" enumId="PGW_GIFTCERTIFICATE" >>>> sequenceId="01" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="CyberSource" enumCode="CYBERSOURCE" >>>> enumId="PGW_CYBERSOURCE" sequenceId="02" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="ClearCommerce" enumCode="CLEARCOMMERCE" >>>> enumId="PGW_CLEARCOMMERCE" sequenceId="03" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="ValueLink" enumCode="VALUELINK" >>>> enumId="PGW_VALUELINK" sequenceId="04" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="PayFlow Pro" enumCode="PAYFLOW" >>>> enumId="PGW_PAYFLOW" sequenceId="05" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="WorldPay" enumCode="WORLDPAY" >>>> enumId="PGW_WORLDPAY" sequenceId="06" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="PayPal" enumCode="PAYPAL" >>>> enumId="PGW_PAYPAL" sequenceId="07" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="PCCharge" enumCode="PCCHARGE" >>>> enumId="PGW_PCCHARGE" sequenceId="08" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="RiTA" enumCode="RITA" enumId="PGW_RITA" >>>> sequenceId="09" enumTypeId="PGW_CODE"/> >>>> <Enumeration description="Authorize.Net" enumCode="AUTHORIZEDOTNET" >>>> enumId="PGW_AUTHORIZEDOTNET" sequenceId="10" enumTypeId="PGW_CODE"/> >>>> >>>> <!-- Product store gateway setting --> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="certsPath" >>>> attributeValue="${sys:getProperty('ofbiz.home')}/applications/ >>>> accounting/pfcerts" activeAttribute="Y" comment="Path the the >>>> VeriSign Certificate"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="hostAddress" >>>> attributeValue="test-payflow.verisign.com" activeAttribute="Y" >>>> comment="Address of the payment processor"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="hostPort" >>>> attributeValue="443" activeAttribute="Y" comment="Port of the >>>> payment processor"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="vendor" >>>> attributeValue="[Vendor]" activeAttribute="Y" comment="Payflow >>>> account information (Vendor)"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="user" >>>> attributeValue="[PayFlow UserID]" activeAttribute="Y" >>>> comment="Payflow account information (PayFlow UserID)"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="pwd" >>>> attributeValue="[PayFlow Password]" activeAttribute="Y" >>>> comment="Payflow account information (PayFlow Password)"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="partner" >>>> attributeValue="[PayFlow Partner]" activeAttribute="Y" >>>> comment="Payflow account information (PayFlow Partner)"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="checkAvs" >>>> attributeValue="Y" activeAttribute="Y" comment="Use Address >>>> Verification"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="checkCvv2" >>>> attributeValue="Y" activeAttribute="Y" comment="Require CVV2 >>>> Verification"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="preAuth" >>>> attributeValue="Y" activeAttribute="Y" comment="Pre-Authorize >>>> Payments (if set to N will auto-capture)"/> >>>> <ProductStoreGatewaySetting productStoreId="9000" >>>> gatewayEnumId="PGW_PAYFLOW" attributeKey="enableTransmit" >>>> attributeValue="true" activeAttribute="Y" comment="Set to false to >>>> not transmit anything "/> >>>> >>>> >>>> Once we have it into the DB it could be extended in a custom >>>> components (hot-deploy) and it could be cashed and it could be no >>>> more necessary to restart OFBiz once you have to change a value into >>>> this property file. >>>> I have also moved those parameters at product store level so you >>>> could have different configuration by product store. >>>> >>>> It's only an idea and it could be introduced also after that new >>>> OFBiz release has been created. >>>> >>>> Any ideas and suggestions are welcomed because if it's working >>>> correctly for everyone it could be extended also to others property >>>> files (shipment.properties, catalog.properties, ...). >>>> >>>> Thanks in advance >>>> Marco >>>> >>> >>> >> > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ0nCCrP3NbaWWqE4RAoszAJ9lvTNyKRAi2pSI38S9Av9fK9WYswCePSQZ UkRVxt/EnPkvg/+pJJQA1Z8= =U4ce -----END PGP SIGNATURE-----