OFBiz › OFBiz - User

importing encrypted credit card data

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

7 messages Options

Dave Tenerowicz

importing encrypted credit card data

Is there any way to import credit card data in an encrypted format, so
that OfBiz can properly decrypt the values?
We need to import millions of credit card records into OFB, and would
like to do this directly to the database (SQL Server) without using xml
import. Can this be done? What encryption method is being used by OfBiz?
Or is the only safe approach to use XML import? If we use XML import,
what are the absolute record limits per import file? I'm guessing 10,000
records per file?

--
Dave Tenerowicz
[hidden email]

Office: 303.493.6727
Mobile 303.906.6116
Fax 303.814.8330

Visit us at http://www.salmonllc.com

David E Jones

Re: importing encrypted credit card data

Dave Tenerowicz wrote:
> Is there any way to import credit card data in an encrypted format, so
> that OfBiz can properly decrypt the values?
> We need to import millions of credit card records into OFB, and would
> like to do this directly to the database (SQL Server) without using xml
> import. Can this be done? What encryption method is being used by OfBiz?

Quite possible, just have to find out which encryption scheme and key(s) have been used and make sure OFBiz is doing the same.

> Or is the only safe approach to use XML import?

Can go either way. Just make sure with the XML import that it doesn't double-encrypt it...

> If we use XML import,
> what are the absolute record limits per import file? I'm guessing 10,000
> records per file?

In theory there is no limit. ;)

-David

Vince Clark

Re: importing encrypted credit card data

David, can you clarify something about importing data via XML that needs
to be encrypted?

Question is, do you import it as clear text and OfBiz will encrypt
during the xml import? Or do you have to import the values as already
encrypted?

If encryption is performed during the import, will it apply to any
fields that need to be encrypted, for example user passwords?

We are performing a migration where we would want to export user records
from an old system in clear text and import into OfBiz, performing the
necessary encryption in the process.

David E Jones wrote:

>
>
> Dave Tenerowicz wrote:
>> Is there any way to import credit card data in an encrypted format,
>> so that OfBiz can properly decrypt the values?
>> We need to import millions of credit card records into OFB, and would
>> like to do this directly to the database (SQL Server) without using
>> xml import. Can this be done? What encryption method is being used by
>> OfBiz?
>
> Quite possible, just have to find out which encryption scheme and
> key(s) have been used and make sure OFBiz is doing the same.
>
>> Or is the only safe approach to use XML import?
>
> Can go either way. Just make sure with the XML import that it doesn't
> double-encrypt it...
>
>> If we use XML import, what are the absolute record limits per import
>> file? I'm guessing 10,000 records per file?
>
> In theory there is no limit. ;)
>
> -David

--
Vince Clark
Global Era
The freedom of open source.
(303) 493-6723
(303) 455-2409 fax
[hidden email] <mailto:[hidden email]>
www.globalera.com

David E Jones

Re: importing encrypted credit card data

Passwords are different. They are not encrypted by the entity engine, they are done by the service so you'd have to run a service or something after the fact (not sure if this exists) to encrypt all passwords.

-David

Vince Clark wrote:

> David, can you clarify something about importing data via XML that needs
> to be encrypted?
>
> Question is, do you import it as clear text and OfBiz will encrypt
> during the xml import? Or do you have to import the values as already
> encrypted?
>
> If encryption is performed during the import, will it apply to any
> fields that need to be encrypted, for example user passwords?
>
> We are performing a migration where we would want to export user records
> from an old system in clear text and import into OfBiz, performing the
> necessary encryption in the process.
>
> David E Jones wrote:
>>
>> Dave Tenerowicz wrote:
>>> Is there any way to import credit card data in an encrypted format,
>>> so that OfBiz can properly decrypt the values?
>>> We need to import millions of credit card records into OFB, and would
>>> like to do this directly to the database (SQL Server) without using
>>> xml import. Can this be done? What encryption method is being used by
>>> OfBiz?
>> Quite possible, just have to find out which encryption scheme and
>> key(s) have been used and make sure OFBiz is doing the same.
>>
>>> Or is the only safe approach to use XML import?
>> Can go either way. Just make sure with the XML import that it doesn't
>> double-encrypt it...
>>
>>> If we use XML import, what are the absolute record limits per import
>>> file? I'm guessing 10,000 records per file?
>> In theory there is no limit. ;)
>>
>> -David
>

Dave Tenerowicz

Re: importing encrypted credit card data

In reply to this post by David E Jones

Thanks David. This is very helpful.
How do we determine the encryption scheme and keys that OFBiz is using?
If we know what OFBiz is using, we can use the same scheme/key
combination to prepare the import files.

-Dave

David E Jones wrote:

--
Dave Tenerowicz
[hidden email]

Office: 303.493.6727
Mobile 303.906.6116
Fax 303.814.8330

Visit us at http://www.salmonllc.com

David E Jones

Re: importing encrypted credit card data

Check out the Entity Engine encryption stuff, which BTW isn't perfect but is pretty good.

-David

Dave Tenerowicz wrote:

> Thanks David. This is very helpful.
> How do we determine the encryption scheme and keys that OFBiz is using?
> If we know what OFBiz is using, we can use the same scheme/key
> combination to prepare the import files.
>
> -Dave
>
> David E Jones wrote:
>>
>>
>> Dave Tenerowicz wrote:
>>> Is there any way to import credit card data in an encrypted format,
>>> so that OfBiz can properly decrypt the values?
>>> We need to import millions of credit card records into OFB, and would
>>> like to do this directly to the database (SQL Server) without using
>>> xml import. Can this be done? What encryption method is being used by
>>> OfBiz?
>>
>> Quite possible, just have to find out which encryption scheme and
>> key(s) have been used and make sure OFBiz is doing the same.
>>
>>> Or is the only safe approach to use XML import?
>>
>> Can go either way. Just make sure with the XML import that it doesn't
>> double-encrypt it...
>>
>>> If we use XML import, what are the absolute record limits per import
>>> file? I'm guessing 10,000 records per file?
>>
>> In theory there is no limit. ;)
>>
>> -David
>>
>>
>

Walter Vaughan

Re: importing encrypted credit card data

In reply to this post by Dave Tenerowicz

Dave Tenerowicz wrote:

> Or is the only safe approach to use XML import?

disclaimer: I just sat through a credit card security webinar this afternoon and
of course the purpose was to convince you that you should treat cc info like
plutonium unless you buy a certain vendors black boxes, so of course now I see
that its really impossible because of every nifty thing you should do (or could
buy), I know of a way to defeat it.>

You can build a bridge entity that you populate your cc info into using normal
database transfers, and let a service do the lifting for you. I believe the
current Opentaps has a "dataimport" module in the hot-deploy directory that has
the ability to import credit card numbers with parties.

http://www.opentaps.org/index.php?option=com_content&task=view&id=51&Itemid=78

We have built several import tools like this (with Si's help) that have a ton of
customization and logic that we needed.

--
Walter