You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Dave Tenerowicz <dt...@salmonllc.com> on 2007/09/06 18:44:25 UTC
importing encrypted credit card data
Is there any way to import credit card data in an encrypted format, so
that OfBiz can properly decrypt the values?
We need to import millions of credit card records into OFB, and would
like to do this directly to the database (SQL Server) without using xml
import. Can this be done? What encryption method is being used by OfBiz?
Or is the only safe approach to use XML import? If we use XML import,
what are the absolute record limits per import file? I'm guessing 10,000
records per file?
--
Dave Tenerowicz
dtenerowicz@salmonllc.com
Office: 303.493.6727
Mobile 303.906.6116
Fax 303.814.8330
Visit us at http://www.salmonllc.com
Re: importing encrypted credit card data
Posted by Walter Vaughan <wv...@steelerubber.com>.
Dave Tenerowicz wrote:
> Or is the only safe approach to use XML import?
disclaimer: I just sat through a credit card security webinar this afternoon and
of course the purpose was to convince you that you should treat cc info like
plutonium unless you buy a certain vendors black boxes, so of course now I see
that its really impossible because of every nifty thing you should do (or could
buy), I know of a way to defeat it.>
You can build a bridge entity that you populate your cc info into using normal
database transfers, and let a service do the lifting for you. I believe the
current Opentaps has a "dataimport" module in the hot-deploy directory that has
the ability to import credit card numbers with parties.
http://www.opentaps.org/index.php?option=com_content&task=view&id=51&Itemid=78
We have built several import tools like this (with Si's help) that have a ton of
customization and logic that we needed.
--
Walter
Re: importing encrypted credit card data
Posted by David E Jones <jo...@hotwaxmedia.com>.
Check out the Entity Engine encryption stuff, which BTW isn't perfect but is pretty good.
-David
Dave Tenerowicz wrote:
> Thanks David. This is very helpful.
> How do we determine the encryption scheme and keys that OFBiz is using?
> If we know what OFBiz is using, we can use the same scheme/key
> combination to prepare the import files.
>
> -Dave
>
> David E Jones wrote:
>>
>>
>> Dave Tenerowicz wrote:
>>> Is there any way to import credit card data in an encrypted format,
>>> so that OfBiz can properly decrypt the values?
>>> We need to import millions of credit card records into OFB, and would
>>> like to do this directly to the database (SQL Server) without using
>>> xml import. Can this be done? What encryption method is being used by
>>> OfBiz?
>>
>> Quite possible, just have to find out which encryption scheme and
>> key(s) have been used and make sure OFBiz is doing the same.
>>
>>> Or is the only safe approach to use XML import?
>>
>> Can go either way. Just make sure with the XML import that it doesn't
>> double-encrypt it...
>>
>>> If we use XML import, what are the absolute record limits per import
>>> file? I'm guessing 10,000 records per file?
>>
>> In theory there is no limit. ;)
>>
>> -David
>>
>>
>
Re: importing encrypted credit card data
Posted by Dave Tenerowicz <dt...@salmonllc.com>.
Thanks David. This is very helpful.
How do we determine the encryption scheme and keys that OFBiz is using?
If we know what OFBiz is using, we can use the same scheme/key
combination to prepare the import files.
-Dave
David E Jones wrote:
>
>
> Dave Tenerowicz wrote:
>> Is there any way to import credit card data in an encrypted format,
>> so that OfBiz can properly decrypt the values?
>> We need to import millions of credit card records into OFB, and would
>> like to do this directly to the database (SQL Server) without using
>> xml import. Can this be done? What encryption method is being used by
>> OfBiz?
>
> Quite possible, just have to find out which encryption scheme and
> key(s) have been used and make sure OFBiz is doing the same.
>
>> Or is the only safe approach to use XML import?
>
> Can go either way. Just make sure with the XML import that it doesn't
> double-encrypt it...
>
>> If we use XML import, what are the absolute record limits per import
>> file? I'm guessing 10,000 records per file?
>
> In theory there is no limit. ;)
>
> -David
>
>
--
Dave Tenerowicz
dtenerowicz@salmonllc.com
Office: 303.493.6727
Mobile 303.906.6116
Fax 303.814.8330
Visit us at http://www.salmonllc.com
Re: importing encrypted credit card data
Posted by David E Jones <jo...@hotwaxmedia.com>.
Passwords are different. They are not encrypted by the entity engine, they are done by the service so you'd have to run a service or something after the fact (not sure if this exists) to encrypt all passwords.
-David
Vince Clark wrote:
> David, can you clarify something about importing data via XML that needs
> to be encrypted?
>
> Question is, do you import it as clear text and OfBiz will encrypt
> during the xml import? Or do you have to import the values as already
> encrypted?
>
> If encryption is performed during the import, will it apply to any
> fields that need to be encrypted, for example user passwords?
>
> We are performing a migration where we would want to export user records
> from an old system in clear text and import into OfBiz, performing the
> necessary encryption in the process.
>
> David E Jones wrote:
>>
>> Dave Tenerowicz wrote:
>>> Is there any way to import credit card data in an encrypted format,
>>> so that OfBiz can properly decrypt the values?
>>> We need to import millions of credit card records into OFB, and would
>>> like to do this directly to the database (SQL Server) without using
>>> xml import. Can this be done? What encryption method is being used by
>>> OfBiz?
>> Quite possible, just have to find out which encryption scheme and
>> key(s) have been used and make sure OFBiz is doing the same.
>>
>>> Or is the only safe approach to use XML import?
>> Can go either way. Just make sure with the XML import that it doesn't
>> double-encrypt it...
>>
>>> If we use XML import, what are the absolute record limits per import
>>> file? I'm guessing 10,000 records per file?
>> In theory there is no limit. ;)
>>
>> -David
>
Re: importing encrypted credit card data
Posted by Vince Clark <vc...@globalera.com>.
David, can you clarify something about importing data via XML that needs
to be encrypted?
Question is, do you import it as clear text and OfBiz will encrypt
during the xml import? Or do you have to import the values as already
encrypted?
If encryption is performed during the import, will it apply to any
fields that need to be encrypted, for example user passwords?
We are performing a migration where we would want to export user records
from an old system in clear text and import into OfBiz, performing the
necessary encryption in the process.
David E Jones wrote:
>
>
> Dave Tenerowicz wrote:
>> Is there any way to import credit card data in an encrypted format,
>> so that OfBiz can properly decrypt the values?
>> We need to import millions of credit card records into OFB, and would
>> like to do this directly to the database (SQL Server) without using
>> xml import. Can this be done? What encryption method is being used by
>> OfBiz?
>
> Quite possible, just have to find out which encryption scheme and
> key(s) have been used and make sure OFBiz is doing the same.
>
>> Or is the only safe approach to use XML import?
>
> Can go either way. Just make sure with the XML import that it doesn't
> double-encrypt it...
>
>> If we use XML import, what are the absolute record limits per import
>> file? I'm guessing 10,000 records per file?
>
> In theory there is no limit. ;)
>
> -David
--
Vince Clark
Global Era
The freedom of open source.
(303) 493-6723
(303) 455-2409 fax
vclark@globalera.com <ma...@globalera.com>
www.globalera.com
Re: importing encrypted credit card data
Posted by David E Jones <jo...@hotwaxmedia.com>.
Dave Tenerowicz wrote:
> Is there any way to import credit card data in an encrypted format, so
> that OfBiz can properly decrypt the values?
> We need to import millions of credit card records into OFB, and would
> like to do this directly to the database (SQL Server) without using xml
> import. Can this be done? What encryption method is being used by OfBiz?
Quite possible, just have to find out which encryption scheme and key(s) have been used and make sure OFBiz is doing the same.
> Or is the only safe approach to use XML import?
Can go either way. Just make sure with the XML import that it doesn't double-encrypt it...
> If we use XML import,
> what are the absolute record limits per import file? I'm guessing 10,000
> records per file?
In theory there is no limit. ;)
-David