Announcement

Collapse
No announcement yet.

MivaPay and Customer Password Settings

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    MivaPay and Customer Password Settings

    Just noticed this on a 'newish' clients site:

    Customer Settings "Minimum Password Length" is set to one. I know its a VERY BAD idea since they are already storing CC numbers via Authnet CIM, but the real question is "can this work with Miva Pay". (Assuming that it might be checking for something reasonable).


    Bruce Golub
    Phosphor Media - "Your Success is our Business"

    Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
    phosphormedia.com

    #2
    Originally posted by Bruce - PhosphorMedia View Post
    Just noticed this on a 'newish' clients site:

    Customer Settings "Minimum Password Length" is set to one. I know its a VERY BAD idea since they are already storing CC numbers via Authnet CIM, but the real question is "can this work with Miva Pay". (Assuming that it might be checking for something reasonable).

    Interesting add-on question - why is the admin even allowing for a "Minimum Password Length" of less than what should be met for PCI Compliance (to pass the item(s) in the PA-DSS Checklist)?

    Password Minimum Length 7 Characters or Greater
    Passwords Require at Least one Letter and one Number or Punctuation Character
    Wouldn't it be a better practice to have these items "baked in"?
    Leslie Kirk
    Miva Certified Developer
    Miva Merchant Specialist since 1997
    Previously of Webs Your Way
    (aka Leslie Nord leslienord)

    Email me: [email protected]
    www.lesliekirk.com

    Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

    Comment


      #3
      I was going to suggest too that it's probably a PCI issue rather than a MivaPay issue. They may be mutually exclusive. MivaPay has its own credentials (wall) to be able to interact with the "vault." My thought is you simply integrate MivaPay. The process will (or should) inform you of requirements during the integration process. So, if you MivaPay requires PCI-level passwords, it will tell you or not work at all. FWIW, I don't recall exactly, but I think I have had clients with MivaPay installed and the passwords were not PCI-level. But, I am pretty sure though that they weren't single character passwords.

      Slight tangent towards Leslie's comment. Maybe Miva Admin-level Users should have the PCI-level passwords "baked-in" at a minimum?

      Scott
      Need to offer Shipping Insurance?
      Interactive Design Solutions https://www.myids.net
      MivaMerchant Business Partner | Certified MivaMerchant Web Developer
      Competitive Rates, Custom Modules and Integrations, Store Integration
      AutoBaskets|Advanced Waitlist Integration|Ask about Shipping Insurance Integration
      My T-shirt Collection is mostly MivaCon T-shirts!!

      Comment


        #4
        MivaPay solves for this problem, because even is someone has access to your admin (due to a horrible 1 character password) they can't get any card data from the Miva Admin or database. So this is way better than any alternative method for storing cards they might use.

        In essence MivaPay's PCI Certification isn't dependent on the store being well configured. With that said, if the store got hacked and cards skimmed via a Magecart type JS attack(which would be the likely vector in the case being described here) then MivaPay's PCI Certification wouldn't actually protect the merchant from any liability.

        As a separate topic though, I will discuss with Product if we want to at some future upgrade start mandating better behaviors.
        Last edited by Rick Wilson; 04-11-21, 01:01 PM.
        Thanks,

        Rick Wilson
        CEO
        Miva, Inc.
        [email protected]
        https://www.miva.com

        Comment


          #5
          Well, if an admin had a 1 character password...I'd fire them :).

          My concern, even with MivaPay is, if someone hacks a customer's account, since they are going to use the 'store card' feature, the can order whatever they want.

          Just looking for more ammunition for when I bring this up with the client.
          Bruce Golub
          Phosphor Media - "Your Success is our Business"

          Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
          phosphormedia.com

          Comment


            #6
            Merchant has been receiving updates related to this, and several coming, to reduce the risk to fraudulent orders on compromised shpoper accounts, which are typically the result of compromised passwords of shoppers who use the same credentials everywhere. The changes will be designed to prevent unauthorized adding of new shipping addresses, changing the email address, etc.
            David Hubbard
            CIO
            Miva
            [email protected]
            http://www.miva.com

            Comment


              #7
              Originally posted by ILoveHostasaurus View Post
              Merchant has been receiving updates related to this, and several coming, to reduce the risk to fraudulent orders on compromised shpoper accounts, which are typically the result of compromised passwords of shoppers who use the same credentials everywhere. The changes will be designed to prevent unauthorized adding of new shipping addresses, changing the email address, etc.
              Yea, perhaps an option to require Email verification on a change in address would be pretty easy to add and a relatively low stress task for customers.
              Bruce Golub
              Phosphor Media - "Your Success is our Business"

              Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
              phosphormedia.com

              Comment

              Working...
              X