Setting Up Credit Card Encryption

This chapter provides an overview of credit card encryption and discusses how to:

Implement credit card encryption.
Secure the credit card components.
Change the credit card encryption key.
Synchronize re-encrypted data with PeopleSoft Enterprise Financials.

Understanding Credit Card Encryption

PeopleTools Pluggable Cryptography is an advanced security framework that introduces a new security model for applications to encrypt and decrypt credit card data. This feature adds greater security to the credit card data handling system as well as upgrades existing credit card data.

Credit card encryption is available to PeopleSoft Enterprise CRM implementations that are integrated with PeopleSoft Enterprise Financials.

Strong Encryption

Pluggable Cryptography protects critical PeopleSoft data and enables more secure data communication with other businesses. It enables you to extend and improve cryptographic support for your data in PeopleTools. By incrementally acquiring stronger and more diverse algorithms for encrypting data, Pluggable Cryptography offers strong cryptography with the flexibility to change and grow.

Enhanced cryptography capability is provided by PeopleSoft pluggable encryption technology (PET), which employs 3DES algorithms and 168-bit encryption keys to secure data.

Features

Applying Pluggable Cryptography to your system:

Improves the system's ability to protect credit card data during transfer and storage.
Upgrades existing credit card data.
Protects data during information display.

Once upgraded, the system displays credit card numbers so as to mask them. Before upgrade, the system displayed all digits of a credit card number, whether display-only or editable. The feature modifies the display to show only the last four digits, replacing each preceding digit with an X.

Standards

PeopleTools Pluggable Cryptography complies with the cardholder data protection requirements of the Payment Card Industry (PCI) Data Security Standard and with Visa's Cardholder Information Security Program (CISP). When you enable this feature, credit card numbers for external third-party payers, such as customers or students, are encrypted.

Note. This feature upgrades credit card numbers that are shared with the PeopleSoft Financials or a third-party database; it does not upgrade those stored internally in the CRM database, such as company-owned or employee credit cards.

See Also

Enterprise PeopleTools PeopleBook: Security Administration, “Securing Data with Pluggable Cryptography”

Implementing Credit Card Encryption

You must perform these tasks to implement the new functionality:

Make sure that the PeopleSoft Financials database that you integrate with is set up to support credit card encryption.
Secure the credit card component.

See Securing the Credit Card Component.
Upgrade existing credit card data.

See PeopleSoft Enterprise Customer Relationship Management Upgrade, “Complete Database Changes,” Encrypting Credit Card Data

Contact Global Support before attempting to upgrade your data, if you have customized your system in any of the following ways:
- Added any records containing credit card number fields.
- Added a credit card number field to any records.
- Deleted any records found in the grid on the Upgrade Credit Card Numbers component.
- Deleted a credit card number field from any records found in the grid on the Upgrade Credit Card Numbers component.
- Customized the credit card encryption processing functionality in any way.
- Changed whether or how any particular credit card field is encrypted.
Change the credit card encryption key.

See Changing the Credit Card Encryption Key.

Securing the Credit Card Component

You must specify the user roles that have access to credit card components.

Securing the components involves these general steps:

Add the Credit Card Component menu (CCENCRYPTION_MENU) to the appropriate permission list.

See Adding CCENCRYPTION_MENU to a Permission List.
Provide security for the new credit card components:

See Providing Security for Credit Card Components.
- FS_CC_UPGRADE
- FS_CC_CNVRT
Provide security to the new portal registries:

See Providing Security for the Portal Registries.
- CREDIT_CARD_ENCRYPTION (Credit Card Encryption folder)
- FS_CC_UPGRADE_GBL (Upgrade Credit Card Numbers content registry)
- FS_CC_CNVRT_GBL (Change Encryption Key content registry)
(Optional) Change the security group for the FS_CC_CNVRT Application Engine process definition.

See Changing the Security Group (Optional).
Run the portal security synchronization process (PeopleTools, Portal, Portal Security Sync).
Clear the application and web server caches.

Adding CCENCRYPTION_MENU to a Permission List

You must add CCENCRYPTION_MENU to the appropriate permission list. You may want to choose a security administration role.

See Also

PeopleSoft Enterprise PeopleTools PeopleBook: Security Administration, “Setting Up Permission Lists,” Managing Permission Lists

Providing Security for Credit Card Components

To provide access to the new PeopleSoft components:

Navigate to PeopleTools, Security, Permissions & Roles, Permission Lists, Pages.
Add the menu name CCENCRYPTION_MENU.
Click Edit Components.

The Components page appears.
Locate the FS_CC_UPGRADE component to which you want to grant access.

(By default, no components are authorized when adding a menu.)
Click the Edit Pages button for each component to which you want to grant access.

The Page Permissions page appears.
Specify the actions that a user can complete on the page.
Click OK on the Page Permissions page, and then again on the Component Permissions page.

Note. Perform this procedure twice, once for the FS_CC_UPGRADE component and again for the FS_CC_CNVRT component.

See Also

Enterprise PeopleTools PeopleBook: Security Administration, “Setting Up Permission Lists”

Providing Security for the Portal Registries

You must provide security for the new folder and content registries on the portal.

For Folder:

Navigate to PeopleTools, Portal, Structure and Content.
In the Folders list, click on the links Set Up CRM, then Utilities.
Click the Edit link next to the Credit Card Encryption folder name.
Click the Folder Security tab.
On the Folder Administration page, select the permission lists that you want to have access to the Credit Card Encryption menu.

For Content Registries:

Navigate to PeopleTools, Portal, Structure and Content.
In the Folders list, click on the links Set Up CRM, then Utilities, then Credit Card Encryption.
Click the Edit link for Upgrade Credit Card Numbers (FS_CC_UPGRADE_GBL).
On the Security tab, make sure the permission list displayed corresponds to the CCENCRYPTION_MENU permission list.
Repeat steps 3 and 4 for Change Encryption Key (FS_CC_CNVRT_GBL).

Note. When you complete all security tasks, delete your browser cache so that you can view the new portal registries in the menu navigation.

See Also

Enterprise PeopleTools PeopleBook: Internet Technology, “Administering Portals”

Changing the Security Group (Optional)

You can optionally change the security group for the FS_CC_CNVRT Application Engine process definition.

To change the security group:

Navigate to PeopleTools, Process Scheduler, Processes.
Select Process Name in the Search By field.
Enter FS_CC_CNVRT in the begins with field.
Click the Search button.
On the Process Definition page, select the Process Definition Options tab.
Modify the security group in the Process Groups grid.

Changing the Credit Card Encryption Key

This section describes how to:

Re-encrypt credit card data.
Change the encryption key.

You can change the credit card encryption key at any time.

Page Used to Change the Encryption Key

Page Name	Object Name	Navigation	Usage
Credit Card Number Re-Encrypt	FS_CC_CNVRT	Set Up CRM, Utilities, Credit Card Encryption, Change Encryption Key	Change the key used to encrypt credit card numbers. Run the utility to re-encrypt credit card numbers using a new encryption key.

Re-Encrypting Credit Card Data

To change the encryption key at any time after the initial conversion, you must first re-encrypt all credit card data.

To re-encrypt credit card data:

If this is the first re-encryption following the initial conversion and you have not secured the FS_CC_CNVRT component, complete the steps in the “Securing the Credit Card Components” section in this chapter.

See Securing the Credit Card Component.

Complete the steps for the FS_CC_CNVRT component only. Securing FS_CC_CNVRT secures both the FS_CC_CNVRT component and the FS_CC_CNVRT portal registry.
Navigate to Set Up CRM, Utilities, Credit Card Encryption, Change Encryption Key.
Click the Generate Random Key button to generate a new random hexadecimal encryption key.

Clicking this button generates a new, random hexadecimal encryption key. You can modify this key, but you must format it as a 24-byte string in hexadecimal notation. The first two characters must be 0x, and the remainder must be exactly 48 characters and consist of both numeric digits and the lowercase letters a through f.
If the values in the Re-encrypt Action column are not Decrypt, then Encrypt, click the Crypt Action button until Decrypt, then Encrypt appears in the column.
Click the Run button to start the conversion process.

The Credit Card Conversion process converts each field in the grid. If the process fails for any reason, you can restart the process; it will resume where it stopped. If you can not restart the process, run it from the beginning. The system will bypass fields that have already been processed.

Changing the Encryption Key

Access the Credit Card Number Re-Encrypt page.

Crypt Action

Toggle the value in the Re-Encrypt Action column in the grid.

Generate Random Key

Generate a random key in the format needed by the encryption algorithms used for credit card encryption and decryption profiles.

(Encryption key)

If you want to modify the generated key or enter your own, you must format it as a 24-byte hex string. The first two characters must be 0x and the remainder must be exactly 48 characters that consist of both numeric digits and the lowercase letters a through f.

Record (Table) Name

Displays the record name.

Field Name

Displays the field name.

Re-Encrypt Action

Values include:

Decrypt, then Encrypt: Re-encrypt data currently encrypted with the Pluggable Cryptography credit card encryption profile.

No Action: Indicates that the utility has converted the record. If an error occurs and you rerun the process, records for which No Action is displayed are not reprocessed.

Synchronizing Re-Encrypted Data With PeopleSoft Enterprise Financials

Any change in CRM data requires that it be propagated to the PeopleSoft Financials database, which is described in the PeopleSoft PeopleBooks for your software release. Recommended references follow.

See Also

PeopleSoft Enterprise Components for CRM 9 PeopleBook, “Activating Messaging EIPs”

PeopleSoft Enterprise Components for CRM 9 PeopleBook, “Performing a Full Data Publish of Current Effective Data”

Data Integrations

Integrating with PeopleSoft Financial Management Services

Crypt Action	Toggle the value in the Re-Encrypt Action column in the grid.
Generate Random Key	Generate a random key in the format needed by the encryption algorithms used for credit card encryption and decryption profiles.
(Encryption key)	If you want to modify the generated key or enter your own, you must format it as a 24-byte hex string. The first two characters must be 0x and the remainder must be exactly 48 characters that consist of both numeric digits and the lowercase letters a through f.
Record (Table) Name	Displays the record name.
Field Name	Displays the field name.
Re-Encrypt Action	Values include: Decrypt, then Encrypt: Re-encrypt data currently encrypted with the Pluggable Cryptography credit card encryption profile. No Action: Indicates that the utility has converted the record. If an error occurs and you rerun the process, records for which No Action is displayed are not reprocessed.