On 04/18/2012 03:28 PM, Brajesh Patel wrote: > Hello All, > > I am looking into Sagepay related stuff: > > Currently we have Sagepay payment gateway integration in OOTB, > > We have requirement for PCI with tokenization in sage pay. > I am thinking that we need to add 'SagepayPaymentMethod' entity, same as > Paypal have PaypalPaymentMethod entity that contains "expressCheckoutToken" > field that store token value for transactions. > > Via this entity (SagepayPaymentMethod) we can manage history of Sagepay > transaction(response token). > We also need code related changes for payment stuff of Sagepay just like > Paypal.
For the record, PCI compliance doesn't say you *can't* store the PAN ever; it's just that it needs to be encrypted. The PIN, however, can't *ever* be stored. It's this latter that ofbiz currently does incorrectly(the PIN is stored in OrderPaymentPreference). I have a feature I will be adding to EntityCrypto, to support key-encrypting keys(the idea comes from PCI). Right now, if you can access the database(or a dump of it), you can access the stored credit card numbers. A key-encrypting key would be stored in a file somewhere in $OFBIZ_HOME, that would encrypt the key used in the database, which is then further used to encrypt the column values. As far as using a token, not all payment processors support such a feature. So, ofbiz can't require tokenized processing to reach PCI compliance, so we need to support other variants. Using key-encrypting keys, and not storing PIN, and not print the PAN/PIN to the log, would get us most of the way there.
