Reference Guide

• Never: the session ID will never be included as an URL parameter.
• When transitioning between Secure and Non-Secure URLs: Non-secure pages generate unencrypted cookies that contain a session id. When you move to a secure page, the session ID is passed as an URL parameter and is copied to an encrypted cookie because PCI compliance requires that secure pages have separate cookies.
• Always: the session ID always appears as an URL parameter.

• The default list for newly installed stores is: aes-256-cbc,aes-128- cbc,bf-cbc
• When a store is upgraded to PR8 Update7, the list is initially blank. The software will use a cipher that is compatible with all versions of the Miva Merchant software.
• Only "cbc" mode ciphers are used for order encryption as of PR8 Update7, so they have to have "cbc" in the string somewhere:
• aes-256-cbc is AES256
• aes-128-cbc is AES128
• bf-cbc is 128-bit Blowfish (used by releases before PR8 Update7)

• Separate: Leave the JavaScript in separate files.
• Combined: Combine all of the JavaScript into a single file. Instead of loading a bunch of JavaScript files, the admin interface only has to load one.
• Combined and Minified: Combining and "mini-fying" theoretically further improves load time by removing all white space in the file. The admin interface only has to load one huge line of JavaScript.

The frequency with which the QR code authenticator application on your cell phone will generate an authorization code.

NOTE: If you are using Google Authenticator on your cell phone, you must leave this field at the default setting (30).

See: http://en.wikipedia.org/wiki/Unix_time

NOTE: If you are using Google Authenticator on your cell phone, you must leave this field at the default setting (0).

The number of recently generated authentication codes that you can enter to log into the admin interface.

Defaults to 1 (one before and one after the current authentication code). If you leave this field set at 1, you could use any of three authentication codes to log into the admin interface:

• The authentication code you are currently viewing on your cell phone.
• The previous authentication code.
• The next authentication code that you generate.

This mechanism for allowing more than one authentication code to be valid at the same time is used to handle the possibility that the clock on your cell phone is slightly different from the system clock on your store server.

If you set this field to "2", you could log into the admin interface using any one of five authentication codes:

• The authentication code you are currently viewing on your cell phone.
• The previous two authentication codes.
• The next two authentication codes that you generate.

NOTE: If you are using Google Authenticator on your cell phone, you must leave this field at the default setting (1).

The length of the authentication code that you must enter to log into the admin interface.

NOTE: If you are using Google Authenticator on your cell phone, you must leave this field at the default setting (6).

If the customer is on a non-SSL page in your store, Miva Merchant generates a non-secure session cookie. If the customer is on an SSL page in your on-line store, Miva Merchant generates a secure session cookie.

This field determines how long the secure session cookie is valid. The default is set to one year. Your cookie should always be set to a value higher than your Basket Timeout, otherwise a shopper could appear to lose a live basket.

Use this field to control the quality of jpg images that you upload. Reducing the image quality, even from 100% to 95%, can significantly reduce the image size.

• This field has no effect on any other format, such as .gif.
• This field has no effect over the "older" types of images, such as Legacy Images. This field only affects images that you uploaded as Additional Images or imported using Image Types. Miva supports the following extensions for admin image upload: gif, jpg, jpeg, jpe, xbm, png and pdf.

The Encryption field is only used if you are connecting to an external mail server.

• Plaintext: Credentials and emails are sent to the mail server in plain text.
• STARTTLS: Select this option to have credentials and emails encrypted if your mail server uses STARTTLS.
• SSL: Select this option to have credentials and emails encrypted if your mail server uses SSL.
• Port: the connection port on your mail server.

Non-secure Miva Merchant Cookie "domain", Non-secure Miva Merchant Cookie "path"

Depending on your service provider and the type of payments that you accept, your store may be examined routinely by a PCI scanner. A PCI scanner checks your on-line store for a number of potential issues, to make sure that your store is PCI compliant. One issue that PCI scanners look for is to see if secure (HTTPS) pages in your store are setting cookies that have the "secure flag" set.

See: http://en.wikipedia.org/wiki/HTTP_cookie for basic information about cookies and secure cookies.

If the scanner sees that you have a secure page which is setting a cookie without the secure flag, it may trigger a PCI compliance error. The settings is this section give you some control over how your store pages can set cookies.

• Set only on HTTP connections, without secure flag: If the customer is on a secure page in your store, they will only receive a cookie if it has the secure flag set. This is the default and the safest option. It is also the condition that PCI scanners check for, so if you keep this option, you will never get a secure flag error from a PCI Scanner.

This option assumes that you are using the Miva Merchant default SSL page settings. See Appendix 5: Default HTTP/HTTPS Pages for more information.

• Set on both HTTP and HTTPS connections, without secure flag: This option will allow secure and non-secure pages to set cookies without the secure flag. It is the least safe option and the one most likely to generate an error from a PCI scanner. Some Miva Merchant store owners have selected this option to correct a rare situation. If your store has a custom mixture of secure and non-secure pages, and a customer starts on a secure page and visits a non-secure page before checking out, it's possible that the basket could appear empty because Miva Merchant has lost the session ID associated with the basket. If you select this option the customer's basket (and cookie) should be ok, but you may trigger a false positive from the PCI scanner.
• Set only on HTTPS connections, with secure flag: Choose this option if you have modified your store so that every page uses SSL. Every cookie will have the secure flag set.
• If you select this option and you do not use SSL on all of your store pages, customers will not be able to go through checkout.

Secure Miva Merchant Cookie "domain:", Secure Miva Merchant Cookie "path:"

It is rarely necessary to change this setting. Periodically, Miva Merchant offers a public beta release of the Miva Merchant software. If you want to participate in the beta, you change your Upgrade Stream to beta.

When the beta becomes available, you click on the "Eligible for Updates" box and the beta will be downloaded to your store server. It is common for store owners to have a "development" store on their server, and a "production" store. Customers who are interested in the beta software download it to their development site, where it will not interfere with their production store. Please contact Miva Merchant customer support if you are not sure how to do this.