Thanks Adam for your valuable comment, I found token related information for the sagepay from http://www.sagepay.com/token-system site as follows:
Token System is a safe way of keeping card details without actually storing them. We store and convert your customer's sensitive payment information into a secure token or "alias". This gives you the flexibility to process transactions as and when required, without compromising on card data security. due to this reason I raised this issue here, because I find jira issue for same but not getting issue. comment inline more: On Thu, Apr 19, 2012 at 2:30 AM, Adam Heath <doo...@brainfood.com> wrote: > On 04/18/2012 03:28 PM, Brajesh Patel wrote: > > Hello All, > > > > I am looking into Sagepay related stuff: > > > > Currently we have Sagepay payment gateway integration in OOTB, > > > > We have requirement for PCI with tokenization in sage pay. > > I am thinking that we need to add 'SagepayPaymentMethod' entity, same as > > Paypal have PaypalPaymentMethod entity that contains > "expressCheckoutToken" > > field that store token value for transactions. > > > > Via this entity (SagepayPaymentMethod) we can manage history of Sagepay > > transaction(response token). > > We also need code related changes for payment stuff of Sagepay just like > > Paypal. > > For the record, PCI compliance doesn't say you *can't* store the PAN > ever; it's just that it needs to be encrypted. The PIN, however, > can't *ever* be stored. It's this latter that ofbiz currently does > incorrectly(the PIN is stored in OrderPaymentPreference). > > I have a feature I will be adding to EntityCrypto, to support > key-encrypting keys(the idea comes from PCI). Right now, if you can > access the database(or a dump of it), you can access the stored credit > card numbers. A key-encrypting key would be stored in a file > somewhere in $OFBIZ_HOME, that would encrypt the key used in the > database, which is then further used to encrypt the column values. > are you contributing this feature to the OFBiz or you have customize this feature at your end. > > As far as using a token, not all payment processors support such a > feature. So, ofbiz can't require tokenized processing to reach PCI > compliance, so we need to support other variants. Using > key-encrypting keys, and not storing PIN, and not print the PAN/PIN to > the log, would get us most of the way there. > -- Thanks Brajesh Patel Salmonllc.com http://bigfish.salmonllc.com/bfDemo.html skype: brajesh.patel11 Cell:- +91 8750709907
