Setting Up Credit Card Encryption

This chapter provides an overview of credit card encryption and discusses how to:

Click to jump to parent topicUnderstanding Credit Card Encryption

PeopleTools Pluggable Cryptography is an advanced security framework that introduces a new security model for applications to encrypt and decrypt credit card data. This feature adds greater security to the credit card data handling system as well as upgrades existing credit card data.

Credit card encryption is available to PeopleSoft Enterprise CRM implementations that are integrated with PeopleSoft Enterprise Financials.

Strong Encryption

Pluggable Cryptography protects critical PeopleSoft data and enables more secure data communication with other businesses. It enables you to extend and improve cryptographic support for your data in PeopleTools. By incrementally acquiring stronger and more diverse algorithms for encrypting data, Pluggable Cryptography offers strong cryptography with the flexibility to change and grow.

Enhanced cryptography capability is provided by PeopleSoft pluggable encryption technology (PET), which employs 3DES algorithms and 168-bit encryption keys to secure data.

Features

Applying Pluggable Cryptography to your system:

Once upgraded, the system displays credit card numbers so as to mask them. Before upgrade, the system displayed all digits of a credit card number, whether display-only or editable. The feature modifies the display to show only the last four digits, replacing each preceding digit with an X.

Standards

PeopleTools Pluggable Cryptography complies with the cardholder data protection requirements of the Payment Card Industry (PCI) Security Standards Council and with Visa's Cardholder Information Security Program (CISP). When you enable this feature, credit card numbers for external third-party payers, such as customers or students, are encrypted.

Note. This feature upgrades credit card numbers that are shared with the PeopleSoft Financials or a third-party database; it does not upgrade those stored internally in the CRM database, such as company-owned or employee credit cards.

See Also

Enterprise PeopleTools 8.50 PeopleBook: Security Administration, “Securing Data with Pluggable Cryptography”

Click to jump to parent topicUnderstanding Credit Card Verification Number Encryption

To enhance the security of credit card transactions, the CRM system supports the inclusion of verification number in the credit card authorization process. A verification number, also known as a card identification number, card authentication value, or card validation code depending on the card company, is a 3-digit or 4-digit code that is printed on the back or the face of the credit card. The number is associated uniquely to the card account number as well as the physical credit card. For transactional components that support credit card payments, a field is available to capture the verification number of the credit card. When a transaction, paid by credit card, is submitted, the specified credit card information and the verification number are sent to the authorization process.

In compliance with the guidelines recommended by the PCI Security Standards Council regarding sensitive authentication data, the verification number is removed permanently from the database once the authorization process completes (passed or failed). In situations where the card data is accepted but not immediately authorized (for example, future dated orders that are saved in the database and not submitted until the order date is reached), the verification number is stored in an encrypted format and is masked with XXX when displayed in the field until the value is deleted after authorization.

Here are a list of transactional components that support credit card payments and accepts verification number for authorization processing:

Note. Because of its sensitive nature, verification number is not stored or displayed in the section of the Person component where credit card entries are stored, nor it is passed to another system (for example, supply chain system) through integration points.

Integration Technology

PeopleSoft Enterprise CRM uses the Integration Broker messaging technology (SOAP) to perform credit card authorizations with Cybersource (certified third-party vendor).

To facilitate message exchange between the PeopleSoft and Cybersource systems, an application engine program (CYB_SOAP_REQ) is used to transform authorization request and response messages to the appropriate format for the system that receives them.

The system delivers a node called PSFT_CYB in Integration Broker as part of the integration setup. This node contains the Cybersource-specific HTTP connector settings for contacting the authorization servers via SOAP as well as message transformation and routing settings.

Note. This SOAP-based integration uses core Integration Broker functionality that is available in all PeopleTools versions, which ensures backward and forward compatibility without reliance on third-party software support. Because it is a native PeopleTools functionality, it is easier for customers to set up, deploy and maintain.

This integration uses secure SSL (secure sockets layer) encryption.

Customers who use other non-Cybersource third-party vendors for credit card authorizations can also leverage this SOAP solution with few custom modifications. These changes include an updated node definition and routing properties for their vendors, and possibly a new transformation program (or an updated one based on the delivered transformation program) that formats messages circulating between PeopleSoft and their vendors. The underlying Enterprise Components message stubs and transaction triggers remain the same.

To avoid the potential issue of storing and displaying sensitive data in the Integration Broker logs and Service Operations Monitor, the log detail setting in the routing definition for the messages is set to No Logging as delivered.

General Settings for Credit Card Authorizations with Cybersource

A system-wide setting is available to make the provision of credit card verification number mandatory for authorization processing. When the setting is enabled, an error message appears if the user fails to enter a verification number when the credit card transaction is being submitted to authorization. In the case of an order, it is put on credit card hold if the verification number is not present.

For security verification purposes, the CRM system requires that the Cybersource user ID, merchant ID and merchant key be provided on the Installation Options page. These fields are included in the SOAP message for security verification during credit card authorization.

See Setting Up General Options.

Cybersource SOAP Connectivity

Refer to the CRM installation guide for more information on how to set up the integration with Cybersource, which includes these high-level steps:

  1. Set up the web server with SSL certificate provided by Cybersource and new proxy server setting.

  2. Make sure to enter your Cybersource user ID, merchant ID and merchant key information on the Installation Options page.

  3. Make sure the PSFT_CYB node is set up properly (connector and routing information in particular) and activated.

  4. Test the connectivity using the Test Credit Card Interface component.

See PeopleSoft Enterprise Customer Relationship Management 9.1 Supplemental Installation Guide

See Also

Submitting Credit Card Information for Authorization

Managing Billing Information

Managing Shipping, Product, and Payment Options from the Checkout Page

Managing Account Balance and Payments

Click to jump to parent topicImplementing Credit Card Encryption

You must perform these tasks to implement the new functionality:

  1. Make sure that the PeopleSoft Financials database that you integrate with is set up to support credit card encryption.

  2. Secure the credit card component.

    See Securing the Credit Card Component.

  3. Upgrade existing credit card data.

    See PeopleSoft Enterprise Customer Relationship Management Upgrade, “Complete Database Changes,” Encrypting Credit Card Data

    Contact Global Support before attempting to upgrade your data, if you have customized your system in any of the following ways:

  4. Change the credit card encryption key.

    See Changing the Credit Card Encryption Key.

Click to jump to parent topicSecuring the Credit Card Component

You must specify the user roles that have access to credit card components.

Securing the components involves these general steps:

  1. Add the Credit Card Component menu (CCENCRYPTION_MENU) to the appropriate permission list.

    See Adding CCENCRYPTION_MENU to a Permission List.

  2. Provide security for the new credit card components:

    See Providing Security for Credit Card Components.

  3. Provide security to the new portal registries:

    See Providing Security for the Portal Registries.

  4. (Optional) Change the security group for the FS_CC_CNVRT Application Engine process definition.

    See Changing the Security Group (Optional).

  5. Run the portal security synchronization process (PeopleTools, Portal, Portal Security Sync).

  6. Clear the application and web server caches.

Click to jump to top of pageClick to jump to parent topicAdding CCENCRYPTION_MENU to a Permission List

You must add CCENCRYPTION_MENU to the appropriate permission list. You may want to choose a security administration role.

See Also

PeopleSoft Enterprise PeopleTools 8.50 PeopleBook: Security Administration, “Setting Up Permission Lists,” Managing Permission Lists

Click to jump to top of pageClick to jump to parent topicProviding Security for Credit Card Components

To provide access to the new PeopleSoft components:

  1. Navigate to PeopleTools, Security, Permissions & Roles, Permission Lists, Pages.

  2. Add the menu name CCENCRYPTION_MENU.

  3. Click Edit Components.

    The Components page appears.

  4. Locate the FS_CC_UPGRADE component to which you want to grant access.

    (By default, no components are authorized when adding a menu.)

  5. Click the Edit Pages button for each component to which you want to grant access.

    The Page Permissions page appears.

  6. Specify the actions that a user can complete on the page.

  7. Click OK on the Page Permissions page, and then again on the Component Permissions page.

Note. Perform this procedure twice, once for the FS_CC_UPGRADE component and again for the FS_CC_CNVRT component.

See Also

Enterprise PeopleTools 8.50 PeopleBook: Security Administration, “Setting Up Permission Lists”

Click to jump to top of pageClick to jump to parent topicProviding Security for the Portal Registries

You must provide security for the new folder and content registries on the portal.

For Folder:

  1. Navigate to PeopleTools, Portal, Structure and Content.

  2. In the Folders list, click on the links Set Up CRM, then Utilities.

  3. Click the Edit link next to the Credit Card Encryption folder name.

  4. Click the Folder Security tab.

  5. On the Folder Administration page, select the permission lists that you want to have access to the Credit Card Encryption menu.

For Content Registries:

  1. Navigate to PeopleTools, Portal, Structure and Content.

  2. In the Folders list, click on the links Set Up CRM, then Utilities, then Credit Card Encryption.

  3. Click the Edit link for Upgrade Credit Card Numbers (FS_CC_UPGRADE_GBL).

  4. On the Security tab, make sure the permission list displayed corresponds to the CCENCRYPTION_MENU permission list.

  5. Repeat steps 3 and 4 for Change Encryption Key (FS_CC_CNVRT_GBL).

Note. When you complete all security tasks, delete your browser cache so that you can view the new portal registries in the menu navigation.

See Also

Enterprise PeopleTools 8.50 PeopleBook: Portal Technology, “Administering Portals”

Click to jump to top of pageClick to jump to parent topicChanging the Security Group (Optional)

You can optionally change the security group for the FS_CC_CNVRT Application Engine process definition.

To change the security group:

Click to jump to parent topicChanging the Credit Card Encryption Key

This section describes how to:

You can change the credit card encryption key at any time.

Click to jump to top of pageClick to jump to parent topicPage Used to Change the Encryption Key

Page Name

Definition Name

Navigation

Usage

Credit Card Number Re-Encrypt

FS_CC_CNVRT

Set Up CRM, Utilities, Credit Card Encryption, Change Encryption Key

Change the key used to encrypt credit card numbers. Run the utility to re-encrypt credit card numbers using a new encryption key.

Click to jump to top of pageClick to jump to parent topicRe-Encrypting Credit Card Data

To change the encryption key at any time after the initial conversion, you must first re-encrypt all credit card data.

To re-encrypt credit card data:

  1. If this is the first re-encryption following the initial conversion and you have not secured the FS_CC_CNVRT component, complete the steps in the “Securing the Credit Card Components” section in this chapter.

    See Securing the Credit Card Component.

    Complete the steps for the FS_CC_CNVRT component only. Securing FS_CC_CNVRT secures both the FS_CC_CNVRT component and the FS_CC_CNVRT portal registry.

  2. Navigate to Set Up CRM, Utilities, Credit Card Encryption, Change Encryption Key.

  3. Click the Generate Random Key button to generate a new random hexadecimal encryption key.

    Clicking this button generates a new, random hexadecimal encryption key. You can modify this key, but you must format it as a 24-byte string in hexadecimal notation. The first two characters must be 0x, and the remainder must be exactly 48 characters and consist of both numeric digits and the lowercase letters a through f.

  4. If the values in the Re-encrypt Action column are not Decrypt, then Encrypt, click the Crypt Action button until Decrypt, then Encrypt appears in the column.

  5. Click the Run button to start the conversion process.

    The Credit Card Conversion process converts each field in the grid. If the process fails for any reason, you can restart the process; it will resume where it stopped. If you can not restart the process, run it from the beginning. The system will bypass fields that have already been processed.

Click to jump to top of pageClick to jump to parent topicChanging the Encryption Key

Access the Credit Card Number Re-Encrypt page (Set Up CRM, Utilities, Credit Card Encryption, Change Encryption Key).

Crypt Action

Toggle the value in the Re-Encrypt Action column in the grid.

Generate Random Key

Generate a random key in the format needed by the encryption algorithms used for credit card encryption and decryption profiles.

(Encryption key)

If you want to modify the generated key or enter your own, you must format it as a 24-byte hex string. The first two characters must be 0x and the remainder must be exactly 48 characters that consist of both numeric digits and the lowercase letters a through f.

Record (Table) Name

Displays the record name.

Field Name

Displays the field name.

Re-Encrypt Action

Values include:

  • Decrypt, then Encrypt: Re-encrypt data currently encrypted with the Pluggable Cryptography credit card encryption profile.

  • No Action: Indicates that the utility has converted the record. If an error occurs and you rerun the process, records for which No Action is displayed are not reprocessed.

Click to jump to parent topicSynchronizing Re-Encrypted Data With PeopleSoft Enterprise Financials

Any change in CRM data requires that it be propagated to the PeopleSoft Financials database, which is described in the PeopleSoft PeopleBooks for your software release. Recommended references follow.

See Also

PeopleSoft Enterprise Components for CRM 9.1 PeopleBook, “Activating Messaging EIPs”

PeopleSoft Enterprise Components for CRM 9.1 PeopleBook, “Performing a Full Data Publish of Current Effective Data”

Data Integrations

Integrating with PeopleSoft Financial Management Services