Announcement

**Rick Wilson** · 06-01-12, 02:03 PM

Re: encryption requirement and/or removal of encrypttion

Yes you always need to have encryption enabled even if you don't store the card number.

**SunCam** · 01-18-14, 05:45 AM

Re: encryption requirement and/or removal of encrypttion

I don't retain or store credit card numbers and never have but I still need an up-to-date encryption key and passphrase. The one that I am using dates back to 2010 so it clearly must be replaced. The problem is that I cannot create a new one because I cannot remember the old one.

PCI-DSS requires that a strong passphrase be used containing 23 characters of gibberish and that it not be written down or stored. My brain is inadequate for that task and I am pretty sure that the requirements for nuclear missile launch codes are less stringent.

So, I'm stuck between two ridiculous PCI requirements, encrypting data that does not need encryption and memorizing my 23 character missile launch code.

Anyone have any ideas? I'll bet the guy that hacked into the Target database could help here.

**Rick Wilson** · 01-18-14, 09:50 AM

Re: encryption requirement and/or removal of encrypttion

Actually our tool can solve this problem. Just archive your old data and it'll let you update without knowing your old key.

If you need help, check the reference guide: www.mivamerchant.com/conference or contact support and they'll help.

**SunCam** · 01-18-14, 12:02 PM

Re: encryption requirement and/or removal of encrypttion

OK, so archiving just removes the payment information (which I do not retain anyway) but everything else is available for an end of month batch report. Archiving is not reversible so I am a little nervous about archiving ALL orders.

**Rick Wilson** · 01-18-14, 12:42 PM

Re: encryption requirement and/or removal of encrypttion

Correct, it only deletes the references to the payment data (such as your auth code and last 4) but you're right it's not reversable without restoring from backup.

**wajake41** · 01-19-14, 02:40 PM

Re: encryption requirement and/or removal of encrypttion

Hi Rick: This thread prompted me to look at our PA-DSS checklist. I see a number of fails there. Is there guidance provided by Miva as to how these fails can/should be resolved?
That Launch Encryption Key Wizard link at the bottom of the page scares the hell out of me. What kind of consequences might I encounter by doing that?
All help understand what this is about will be appreciated.
Larry

**Rick Wilson** · 01-19-14, 03:00 PM

Re: encryption requirement and/or removal of encrypttion

If you'd like email me a screen shot of your checklist and I'll point you in the right direction.

**wajake41** · 01-19-14, 03:13 PM

Re: encryption requirement and/or removal of encrypttion

Hi Rick: I just opened a support ticket on this:
"Hello support: I'm trying to clean up our PA-DSS checklist failures. Can you help me understand the following issues?
1. Primary Database not Located on Web Server: Shows it is on localhost. Why?
2. Primary Database Password Encrypted. How can this be fixed?
3. Private Keys Stored in Secondary Database. How is this fixed?
4. Private Key Database on Different Server Than Primary Database? How is this fixed?
5. Private Key Database Password Encrypted ???
6. Order Encryption Enabled For all Stores ???
7. Current Order Encryption Key Less Than 1 Year Old For all Stores Will this be fixed if #6 is fixed?
8. Current Order Encryption Key Created Post-Upgrade For all Stores Fixed with #6 above?

What does the encryption migration wizard do?"

The above are all fail that need fixingLarry

**Rick Wilson** · 01-19-14, 04:42 PM

Re: encryption requirement and/or removal of encrypttion

#1 has to do with where your dbase is located, support can help you with that.

The Migration wizard solves these:

2. Primary Database Password Encrypted. How can this be fixed?
3. Private Keys Stored in Secondary Database. How is this fixed?
4. Private Key Database on Different Server Than Primary Database?

How is this fixed? (this has to be fixed in conjunction with us moving #1 though)

5. Private Key Database Password Encrypted ???

Yes 6, 7 and 8 should all be fixed with adding (or updating) your encryption key.

**wajake41** · 01-19-14, 05:28 PM

Re: encryption requirement and/or removal of encrypttion

Hi Rick: Thanks for the response. I've asked support to do #1. I am familiar with dBase from 30 years ago. Are we talking some legacy file when you mention dbase or is this shorthand for the site's database?
Regarding the encryption key wizard: I tried this on our dev site but it didn't seem to fix any of the fails in the PA-DSS when i selected leave keys in current location.
After that I was also confused about where the encryption was to be stored. Is there a guide for this? I tried the mySQL storage but didn't have any idea about what to use for connection string or connection flags.
Still confused (as usual), Larry

**Rick Wilson** · 01-19-14, 05:43 PM

Re: encryption requirement and/or removal of encrypttion

I was using the term as shorthand for database, not dbase the standard.

The encryption key can be stored on the primary web server. It's the MySQL database that holds the rest of your data that needs to move to another server.

**wajake41** · 01-21-14, 02:47 PM

Re: encryption requirement and/or removal of encrypttion

Hi Rick:
Making progress with this:
Support has provided this link regarding the PA-DSS checklist: https://support.mivamerchant.com/sup...icle/View/1063 It's very helpful.

Now I'm down to two PA-DSS fails:
1. Primary Database not Located on Web Server: Shows it is on localhost.
2. Private Key Database on Different Server Than Primary Database.

Support says that #1 requires a dedicated server. Would like a confirmation of that.
Support says the #2 will be resolved by using the Encryption Key Migration Wizard. I tried that and was unsuccessful.

Bottom line: Can i live with these two fails?

Larry

**Rick Wilson** · 01-21-14, 03:09 PM

Re: encryption requirement and/or removal of encrypttion

I can't answer about your willingness or ability to live with those 2 fails. We don't require you to solve them.

#2 would be solved by solving #1.

**wajake41** · 01-21-14, 03:16 PM

Re: encryption requirement and/or removal of encrypttion

Hi Rick:
I guessing then that you are confirming that #1 requires a dedicated server as I was told by Hostasaurus support.
Larry

Announcement

encryption requirement and/or removal of encrypttion

encryption requirement and/or removal of encrypttion

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment