importing encrypted credit card data

[Dave Tenerowicz <dt...@salmonllc.com>]

Is there any way to import credit card data in an encrypted format, so 
that OfBiz can properly decrypt the values?
We need to import millions of credit card records into OFB, and would 
like to do this directly to the database (SQL Server) without using xml 
import. Can this be done? What encryption method is being used by OfBiz?
Or is the only safe approach to use XML import? If we use XML import, 
what are the absolute record limits per import file? I'm guessing 10,000 
records per file?

-- 
Dave Tenerowicz
dtenerowicz@salmonllc.com

Office: 303.493.6727
Mobile 303.906.6116
Fax 303.814.8330

Visit us at http://www.salmonllc.com

Re: importing encrypted credit card data

[Walter Vaughan <wv...@steelerubber.com>]

Dave Tenerowicz wrote:

> Or is the only safe approach to use XML import? 

disclaimer: I just sat through a credit card security webinar this afternoon and 
of course the purpose was to convince you that you should treat cc info like 
plutonium unless you buy a certain vendors black boxes, so of course now I see 
that its really impossible because of every nifty thing you should do (or could 
buy), I know of a way to defeat it.>

You can build a bridge entity that you populate your cc info into using normal 
database transfers, and let a service do the lifting for you. I believe the 
current Opentaps has a "dataimport" module in the hot-deploy directory that has 
the ability to import credit card numbers with parties.

http://www.opentaps.org/index.php?option=com_content&task=view&id=51&Itemid=78

We have built several import tools like this (with Si's help) that have a ton of 
customization and logic that we needed.

--
Walter

Re: importing encrypted credit card data

[David E Jones <jo...@hotwaxmedia.com>]

Check out the Entity Engine encryption stuff, which BTW isn't perfect but is pretty good.

-David


Dave Tenerowicz wrote:
> Thanks David. This is very helpful.
> How do we determine the encryption scheme and keys that OFBiz is using? 
> If we know what OFBiz is using, we can use the same scheme/key 
> combination to prepare the import files.
> 
> -Dave
> 
> David E Jones wrote:
>>
>>
>> Dave Tenerowicz wrote:
>>> Is there any way to import credit card data in an encrypted format, 
>>> so that OfBiz can properly decrypt the values?
>>> We need to import millions of credit card records into OFB, and would 
>>> like to do this directly to the database (SQL Server) without using 
>>> xml import. Can this be done? What encryption method is being used by 
>>> OfBiz?
>>
>> Quite possible, just have to find out which encryption scheme and 
>> key(s) have been used and make sure OFBiz is doing the same.
>>
>>> Or is the only safe approach to use XML import? 
>>
>> Can go either way. Just make sure with the XML import that it doesn't 
>> double-encrypt it...
>>
>>> If we use XML import, what are the absolute record limits per import 
>>> file? I'm guessing 10,000 records per file?
>>
>> In theory there is no limit. ;)
>>
>> -David
>>
>>
> 

Re: importing encrypted credit card data

[Dave Tenerowicz <dt...@salmonllc.com>]

Thanks David. This is very helpful.
How do we determine the encryption scheme and keys that OFBiz is using? 
If we know what OFBiz is using, we can use the same scheme/key 
combination to prepare the import files.

-Dave

David E Jones wrote:
>
>
> Dave Tenerowicz wrote:
>> Is there any way to import credit card data in an encrypted format, 
>> so that OfBiz can properly decrypt the values?
>> We need to import millions of credit card records into OFB, and would 
>> like to do this directly to the database (SQL Server) without using 
>> xml import. Can this be done? What encryption method is being used by 
>> OfBiz?
>
> Quite possible, just have to find out which encryption scheme and 
> key(s) have been used and make sure OFBiz is doing the same.
>
>> Or is the only safe approach to use XML import? 
>
> Can go either way. Just make sure with the XML import that it doesn't 
> double-encrypt it...
>
>> If we use XML import, what are the absolute record limits per import 
>> file? I'm guessing 10,000 records per file?
>
> In theory there is no limit. ;)
>
> -David
>
>

-- 
Dave Tenerowicz
dtenerowicz@salmonllc.com

Office: 303.493.6727
Mobile 303.906.6116
Fax 303.814.8330

Visit us at http://www.salmonllc.com

Re: importing encrypted credit card data

[David E Jones <jo...@hotwaxmedia.com>]

Passwords are different. They are not encrypted by the entity engine, they are done by the service so you'd have to run a service or something after the fact (not sure if this exists) to encrypt all passwords.

-David


Vince Clark wrote:
> David, can you clarify something about importing data via XML that needs
> to be encrypted?
> 
> Question is, do you import it as clear text and OfBiz will encrypt
> during the xml import? Or do you have to import the values as already
> encrypted?
> 
> If encryption is performed during the import, will it apply to any
> fields that need to be encrypted, for example user passwords?
> 
> We are performing a migration where we would want to export user records
> from an old system in clear text and import into OfBiz, performing the
> necessary encryption in the process.
> 
> David E Jones wrote:
>>
>> Dave Tenerowicz wrote:
>>> Is there any way to import credit card data in an encrypted format,
>>> so that OfBiz can properly decrypt the values?
>>> We need to import millions of credit card records into OFB, and would
>>> like to do this directly to the database (SQL Server) without using
>>> xml import. Can this be done? What encryption method is being used by
>>> OfBiz?
>> Quite possible, just have to find out which encryption scheme and
>> key(s) have been used and make sure OFBiz is doing the same.
>>
>>> Or is the only safe approach to use XML import? 
>> Can go either way. Just make sure with the XML import that it doesn't
>> double-encrypt it...
>>
>>> If we use XML import, what are the absolute record limits per import
>>> file? I'm guessing 10,000 records per file?
>> In theory there is no limit. ;)
>>
>> -David
> 

Re: importing encrypted credit card data

[Vince Clark <vc...@globalera.com>]

David, can you clarify something about importing data via XML that needs
to be encrypted?

Question is, do you import it as clear text and OfBiz will encrypt
during the xml import? Or do you have to import the values as already
encrypted?

If encryption is performed during the import, will it apply to any
fields that need to be encrypted, for example user passwords?

We are performing a migration where we would want to export user records
from an old system in clear text and import into OfBiz, performing the
necessary encryption in the process.

David E Jones wrote:
>
>
> Dave Tenerowicz wrote:
>> Is there any way to import credit card data in an encrypted format,
>> so that OfBiz can properly decrypt the values?
>> We need to import millions of credit card records into OFB, and would
>> like to do this directly to the database (SQL Server) without using
>> xml import. Can this be done? What encryption method is being used by
>> OfBiz?
>
> Quite possible, just have to find out which encryption scheme and
> key(s) have been used and make sure OFBiz is doing the same.
>
>> Or is the only safe approach to use XML import? 
>
> Can go either way. Just make sure with the XML import that it doesn't
> double-encrypt it...
>
>> If we use XML import, what are the absolute record limits per import
>> file? I'm guessing 10,000 records per file?
>
> In theory there is no limit. ;)
>
> -David

-- 
Vince Clark
Global Era
The freedom of open source.
(303) 493-6723
(303) 455-2409 fax
vclark@globalera.com <ma...@globalera.com>
www.globalera.com

Re: importing encrypted credit card data

[David E Jones <jo...@hotwaxmedia.com>]

Dave Tenerowicz wrote:
> Is there any way to import credit card data in an encrypted format, so 
> that OfBiz can properly decrypt the values?
> We need to import millions of credit card records into OFB, and would 
> like to do this directly to the database (SQL Server) without using xml 
> import. Can this be done? What encryption method is being used by OfBiz?

Quite possible, just have to find out which encryption scheme and key(s) have been used and make sure OFBiz is doing the same.

> Or is the only safe approach to use XML import? 

Can go either way. Just make sure with the XML import that it doesn't double-encrypt it...

> If we use XML import, 
> what are the absolute record limits per import file? I'm guessing 10,000 
> records per file?

In theory there is no limit. ;)

-David