24/7 Support: 800.608.6482

Get Started

Reference Guide

Best Practices for Managing Credit Card Data

1. Changes to Encryption in Miva Merchant Version 9.0005

2. The Encryption Key Wizard

3. About Encrypting Payment Information

4. About Deleting Payment Information

5. Enabling Encryption in Your Store

6. To Delete an Encryption Key

7. Processing Existing Orders with the Encryption Key Wizard

8. Regular Archiving in the Manage Orders Screen

9. To View Encrypted Credit Card Information

A portion of the PCI-DSS (Payment Card Industry Data Security Standard) relates to encrypting your payment data. In most cases you are required to meet these standards, although they are also considered best practices:

  • Enable encryption in your store. After you enable encryption, payment information on new orders will be encrypted.
  • Encrypt existing payment information. If you have existing orders with unencrypted payment information, you have to encrypt the payment information on those orders.
  • Delete payment information from orders. PCI has several requirements for when you should delete payment information:
    • It is never acceptable to keep unencrypted credit card numbers in your database, even temporarily.
    • You should not keep credit card data longer than you need to. For example, the PCI standards let you keep credit card information to cover your return policy, or if you sell custom products that may be paid for in installments. However, you should delete credit card information when you no longer need it to process or refund an order.
    • Under no circumstances should you store payment information in your database for more than 1 year.
    • You may never store the entire stripe data (which includes the CVV code) even if it’s encrypted.

Changes to Encryption in Miva Merchant Version 9.0005

To improve security, the following payment modules in Miva Merchant 9.0005 will only store the last 4 digits of credit card numbers unless encryption is enabled.

  • Authorize.Net Payment Services v3.1
  • CHASE Paymentech Orbital Gateway
  • First Data Global Gateway
  • CyberSource
  • Intuit Merchant Services
  • PayPal Payments Advanced in Payflow Pro mode

If you enable encryption, you can configure the Payment Module to store the entire credit card number. You'll be able to view the encrypted credit card numbers by entering your passphrase.

Example - Using Authorize.Net Without and With Encryption

  1. We'll install the Authorize.Net module and configure it to store the entire credit card number. At the moment, we are not using encryption.

    “Payment

  2. A customer buys something in our store using their American Express card.

    “Payment

    We configured the Payment Module to save the entire credit card number, but since we aren't using encryption right now, only the last 4 digits are saved. Even after we enable encryption we won't be able to view the entire credit card number, since it wasn't written to the store database.

  3. Now we'll enable encryption (see To Enable Encryption in Your Store).
  4. A second customer buys a product in our store using their American Express card.

    “Authorization

    Encryption is enabled and the Payment Module is set up to store the entire credit card number. The credit card number doesn't automatically display when we view the order, but we can see the entire number by clicking on the padlock icon and entering our passphrase.

  5. Notes

    • Updating your store to Version 9.0005:
      • You may want to delay upgrading to Miva Merchant 9.0005 until you have verified that you have no processes or integrations that rely on unencrypted card numbers.
    • Credit Card Payment with Simple Validation:
      • In Miva Merchant 9.0005, the Credit Card Payment with Simple Validation module will not process payment unless encryption is enabled.
      • In a new 9.0005 store, the Credit Card with Simple Validation module will not appear on the list of available modules, unless encryption is already enabled.
      • The 9.0005 upgrade will not install if Credit Card with Simple Validation is installed and there is no valid encryption key.

    The Encryption Key Wizard

    You can do all of your encryption tasks in the admin interface with a special utility called the Encryption Key Wizard. The main purpose of the Encryption Key Wizard is to.

    • Enable order encryption in your store by creating an encryption key.
    • Create new encryption keys. PCI standards require you to create a new encryption key every 365 days.
    • Remove payment information from orders (Archiving).

    Note that the screens in the Encryption Key Wizard will be slightly different, depending on whether you have existing orders with credit card data in them.

    • You don't have an encryption key.
    • You have an encryption key, but you don't have any orders with credit card data.

    The wizard will only prompt you to create a new encryption key.

    • You don't have an encryption key.
    • You have an encryption key, and you have at least one order with credit card data.

    The wizard will prompt you to create a new encryption key and then allow you to:

    • Migrate orders (encrypt them), and/or
    • Archive orders (strip payment info)

    “Passphrase"

    “Confirm

    “Existing

    About Encrypting Payment Information

    “Encryption"

    “Encryption"

    Edit an order. Order encryption is not enabled. Edit an order. Order encryption is enabled.
    • Only the payment information is encrypted, not the entire order.
    • You can view encrypted payment information in the clear as long as you have the encryption key passphrase to decrypt the order. It is impossible to decrypt the data without your passphrase.
    • You cannot remove encryption from existing orders. Although you can edit an order and temporarily view the payment information in the clear, once you encrypt payment information in an order, the encryption is permanent.
    • Miva Merchant encryption works by having you create an encryption key. The encryption key is a long alphanumeric string that the software uses as a seed for the encryption algorithm. It's important that you have a copy of your encryption key stored somewhere securely. If you forget what your encryption key is, you won't be able to complete several tasks in Miva Merchant. Only you will know your encryption key and if you lose it or forget it, it can't be recovered, even by Miva Merchant staff.
    • The PCI standards require you to create a new encryption key every 365 days.

    About Deleting Payment Information

    • In Miva Merchant, deleting payment information is called Archiving. Archiving doesn't remove orders from your store database. The only purpose of archiving is to strip payment information from orders.
    • You can remove payment from orders in batch or from one order at a time. But once you remove payment information from an order it is permanently deleted.

    Enabling Encryption in Your Store

    You enable encryption in your store by creating an encryption key. As soon as you create the key, credit card data on new orders will be encrypted. You create the key with the Encryption Key Wizard.

    Follow the steps in this section if you want to enable encryption in your store, and you do not have existing orders with credit card information.

    But see also Processing Existing Orders with the Encryption Key Wizard.

    Notes

    • In this section we've simplified the screens to make them easier to read.
    • It's important that you make a note of your encryption key passphrase and store it in a secure location. If you lose your passphrase, it cannot be recovered. You will either have to:
      • Remove payment information from all of the orders whose credit card information was encrypted (archiving), or
      • Leave the orders with encrypted credit card information in your database. You won't be able to view the credit card information when you edit an order.

    To Enable Encryption in Your Store

    1. Go to Menu > Store Settings > Encryption Keys tab.
    2. In the Encryption Keys tab, click the Add Encryption Key button.

      “Add

      “Add

    3. Click Next

      “Add

    4. Enter a Prompt (a descriptive name) for the encryption key and click Next.

      “Passphrase"

      The passphrase must:

      Be at least 16 characters long.

      Contain at least 1 non-numeric character, such as a punctuation mark.

      Contain at least 1 letter or number.

      Not be the same as the Prompt.

    5. Enter your passphrase and click Next.

      “Passphrase"

    6. Click Next to confirm creation of the key.

      “Encryption

    7. Click Close. Your key has been created. Encryption is now enabled in your store.

      “Reference

      The Reference Count column tells you how many orders have been encrypted with a key.

    To Delete an Encryption Key

    You cannot delete an encryption key if it there are any orders with credit card information that were encrypted with that key. It's easy to find out if any orders are encrypted with the current key:

    1. Go to Menu > Store Settings > Encryption Keys tab.
    2. In the Encryption Keys tab, look at the Reference Count column. This is the number of orders that have been encrypted with the current key.
    3. Click on the encryption key to edit it.

      “Encryption

    4. In the Edit Encryption Key screen, select the Orders tab. This tab will show you the order number of all the orders whose credit card information was encrypted with the current key. Before you can delete an encryption key, you must either delete these orders, or archive them, which removes the credit card information. There are several ways to do this, but you can archive and delete orders from the Menu > Order Processing > Orders tab.
    5. After you have deleted all of the orders that were encrypted with the current key, go back to the Menu> Store Settings > Encryption Keys tab. You'll see that the Reference Count for the encryption key is now 0.
    6. To delete the encryption key, select it and click the Trash button.

      “Encryption

    7. Encryption is now turned off in your store. Credit card information on new orders will not be encrypted.

    Processing Existing Orders with the Encryption Key Wizard

    Follow the steps in this section if you want to enable encryption in your store, and you have existing orders with credit card information. You'll be able to:

    1. Create a new encryption key. Creating an encryption key enables order encryption in your store.
    2. Migrate orders. Migrating means encrypting the payment information in existing orders with the newly created encryption key. Only the payment information is encrypted. The rest of the order is unchanged.

      and/or

    3. Archive orders. Archiving means deleting payment information from existing orders. The order stays in your database. Only the payment information is deleted.

    To Process Existing Orders with the Encryption Key Wizard

    1. Go to Menu > Store Settings > Encryption Keys tab.
    2. In the Encryption Keys tab, click the Add Encryption Key button Add. The Encryption Key Wizard will start.

      “Welcome"

    3. Click Next.

      Encryption Prompt

    4. Enter a Prompt (a descriptive name) for the encryption key and click Next.

      Passphrase Prompt

      The passphrase must:

      Be at least 16 characters long.

      Contain at least 1 non-numeric character, such as a punctuation mark.

      Contain at least 1 letter or number.

      Not be the same as the Prompt.

    5. Enter your passphrase and click Next.

      “Migrate

      In this screen you can migrate orders, archive orders, or both:

      Migrate All:

      Encrypt all payment information in all existing orders.

      Archive Shipped:

      Remove payment information from orders marked as shipped.

      Encrypt payment information in all other orders.

      Archive All: Remove payment information from all existing orders.

      Archive Older Than:

      Remove payment information in orders placed before the date that you select.

      Encrypt payment information in all other orders.

    6. Select an option and click Next.

      “Encryption

    7. Click Next to confirm.

      “Encryption

    8. Click Close. Your encryption key has been created. The migrate/archive options that you selected have been made.

    Regular Archiving in the Manage Orders Screen

    The Encryption Key Wizard is usually used only once annually to enable encryption or update the encryption key in your store. If you’d like to archive payment data more often than when you change your encryption key, you should use Order Processing.

    To Archive an Order

    In this section we'll show you how to search for orders that are older than a given date and archive all of them.

    1. Go to Menu > Order Processing > Orders tab.
    2. In the Orders tab select Date Range, Exact Dates, and enter From and To dates covering one year.

      “Archiving

    3. Select all of the orders, then click Archive.
    4. A message box will appear asking you to confirm the deletion of payment information. Click OK. In version 9.0005 and later you have the option of deleting payment information, shipping labels, or both.

      “Archiving

    5. Payment information has been removed from the orders that you selected.
    “Payment “After
    Before archiving. After archiving.

    To View Encrypted Credit Card Information

    If the credit card information on an order has been encrypted, you can't view the credit card data unless you know the encryption key passphrase. There are several ways to view encrypted credit card information.

    In the Order Encryption Screen

    1. Go to > Store Settings > Encryption Keys tab.
    2. In the Encryption Keys tab, edit an encryption key.
    3. In the Edit Encryption Key screen, select the Orders tab.
    4. In the Orders tab, edit an order.
    5. In the Edit Order screen, click on the padlock icon at the top of the Payment display.

      “Payment

    6. A dialog box will open and ask you to enter the passphrase. After you enter the passphrase that was used to create the encryption key and click Continue, you'll be able to view the credit card data.

    In the Orders Screen

    1. Go to “Menu"> Order Processing > Orders tab.
    2. In the Orders tab, edit an order that has credit card information that was encrypted with the current key.
    3. In the Edit Order screen, click on the padlock icon. Enter the passphrase and click the Continue button. The Edit Order screen will refresh and will openly display the credit card information.

    In Legacy Order Processing

    1. In the Universal Search field, enter "legacy", then select Legacy Order Processing from the results. Note that Legacy Order Processing can only be reached from the Universal Search field. You can't find it in the Menu button.

      “Legacy

    2. In the Order Processing main screen, edit an order that has encrypted credit card information.
    3. In the Edit Order screen, enter the passphrase and click Update.
    4. After you enter the passphrase that was used to create the encryption key, you'll be able to select any of the order tabs.

Looking for Developer Docs?

We have a whole section for that, including: Developer Training Series, Template Language docs, Module Development tutorials and much, much more.

Head to the Developer Section

Miva believes that all online businesses should have access to a scalable ecommerce platform that can meet their unique business requirements. Miva offers PCI compliant ecommerce, hosting, and custom website design and development solutions. Miva customers have processed over $100 billion in online sales since 1997.

Copyright © 2016 Miva, Inc - All Rights Reserved   Privacy Policy | Store Policy

Links
Contact Us
Receive Tips & Updates

Copyright © 2017 Miva, Inc - All Rights Reserved

Back To The Top