Changing Credit Card Encryption

To change credit card encryption profile and run the encryption process, use the FS_CC_CNVRT component.

Encryption and decryption profiles determine the algorithm used to encrypt credit card numbers.

Page Name

Definition Name

Usage

Manage Credit Card Encryption Page

FS_CC_CNVRT

Change the profile ID used to encrypt and decrypt credit card numbers for all tables in your Financial and Supply Management system, and to re-encrypt credit card numbers using the new profile ID.

Note: Credit card encryption is needed only for systems using a traditional credit card implementation. It is not needed for systems using a third-party credit card payment processor in a hosted implementation.

PeopleTools Encryption Technology is an advanced security framework that provides a security model for applications to encrypt credit card data. The system encrypts data using algorithms and encryption keys. The system also modifies the display of credit card numbers to show only the last four digits. The system displays an X in place of each credit card number other than the last four digits. This includes credit card numbers that are display-only as well as those that are editable.

These steps must be performed in PeopleTools before you can generate new credit card encrypted numbers:

  1. Use the Administer Encryption Profile page to create the credit card profile.

    PeopleTools > Security > Encryption > Encryption Profiles

  2. Use the Algorithm Keyset page to create the Keyset ID and Key Text.

    PeopleTools > Security > Encryption > Encryption Algorithm Keysets

    • The Keyset ID on the Algorithm Keyset page should be the same as the SYMMETRICKEY field of the Administer Encryption Profile page.

    • The Key Text field on the Algorithm Keyset page should be the same for all Keyset rows for the encrypt and decrypt algorithm.

See also the product documentation for PeopleTools: Security Administration, “Securing Data with PeopleSoft Encryption Technology.”

Use the Manage Credit Card Encryption (FS_CC_CNVRT) page to change the profile ID used to encrypt and decrypt credit card numbers for all tables in your Financial and Supply Management system, and to re-encrypt credit card numbers using the new profile ID.

Navigation:

Set Up Financials/Supply Chain > Upgrade > Manage Credit Card Encryption

This example illustrates the fields and controls on the Manage Credit Card Encryption page. You can find definitions for the fields and controls later on this page.

 Manage Credit Card Encryption

When this process completes, all products begin to use the new encryption and decryption profiles.

Note: There is no run control ID for this process.

Field or Control

Description

Existing Encryption Profiles: Decryption Profile ID and Encryption Profile ID

Displays the last Profile ID that was used to encrypt and decrypt credit card numbers for all records and fields displayed in the table.

New Encryption Profiles: Decryption Profile ID and Encryption Profile ID

Select a new encryption profile ID for the search option. Profile IDs determine the algorithm used to encrypt credit card numbers. The options available to you are loaded by your system administrator using the Administer Encryption Profile page.

See Prerequisites to Generating New Credit Card Encrypted Numbers.

Validate Profiles

Select to validate the profiles selected. The system checks that the encryption keys are the same on the Algorithm Keyset page and updates the Profile Status field.

Note: If you receive a message saying, "Please verify Key Values for the selected Encryption/Decryption profiles" , then the Key Text is not accurate on the Algorithm Keyset page for the Algorithm ID. Have your system administrator enter the same Key Text for all Keyset IDs of the encrypt and decrypt Algorithm Keyset.

See Prerequisites to Generating New Credit Card Encrypted Numbers.

Profile Status

Displays Pending after selecting New Encryption Profiles. When the Profile Status is Pending, the Run button is not enabled.

Displays Valid after selecting Validate Profiles and the key check is successful. When the Profile Status is Valid, the Run button is enabled.

Run

This button is not enabled until the Profile Status is Valid. Therefore, you must select the Validate Profiles button to validate the Profile ID's selected before you can re-encrypt the fields in the table below.

The Credit Card Conversion process converts each field in the grid. If the process fails for any reason, the process can be restarted in the standard way and the process picks up where it left off. If the process cannot be restarted, the process can be run from the beginning and it automatically bypasses fields that have already been processed.

If you want to decrypt the existing credit card data using 3des algorithm, the credit conversion process must be run. Encryption and decryption profiles will be populated under existing encryption profiles group box on the credit card conversion process page before running the existing 3des algorithm. New encryption/decryption profiles using aes algorithms can be selected under the New Encryption Profiles group box. Once selected and the conversion process is run, the credit card data encrypted using 3des algorithm will be decrypted and encrypted with profiles using aes algorithms. The conversion process can be run multiple times to decrypt and re-encrypt using various algorithms.

If the original implementation has been customized in any way (For example, replacing or altering the 3des encryption), it is strongly recommended that the changes be thoroughly reviewed and validated before integrating or deploying the updated solution delivered in Patch 37384713. After uptake of this patch, existing credit card data encrypted using 3des algorithm will continue to be encrypted using 3des algorithm as in code below, provided the credit card conversion automatic encryption process is not run.

In the code below, if no row exists in PS_FS_CC_CNVRT_PRF then the system will continue to use PS_CREDIT_CARD_ENCRYPT encryption profile which uses 3des algorithm for encryption. And like wise continue to use PS_CREDIT_CARD_DECRYPT decryption profile which uses 3des algorithm for decryption.

Function encryptcc(&FIELD1, &FIELD2)
   Local boolean &UseStrongEncryption;
   Local Crypt &CCCrypt = CreateObject("Crypt");
   &UseStrongEncryption = True;
   &FIELD2 = "";
   
   If &UseStrongEncryption Then
      If All(&FIELD1) Then
         SQLExec("SELECT CRYPT_PRFL_ID FROM PS_FS_CC_CNVRT_PRF", &encrypt_profile);
         If None(&encrypt_profile) Then
            &encrypt_profile = "PS_CREDIT_CARD_ENCRYPT";
         End-If;
         &CCCrypt.Open(&encrypt_profile);
         &CCCrypt.UpdateData(&FIELD1);
         &FIELD2 = &CCCrypt.Result;
      End-If;
   End-If;
End-Function;

Function decryptcc(&FIELD1, &FIELD2)
   Local boolean &UseStrongEncryption;
   Local Crypt &CCCrypt = CreateObject("Crypt");
   
   &UseStrongEncryption = True;
   &FIELD2 = "";
   
   If &UseStrongEncryption Then
      If All(&FIELD1) Then
         SQLExec("SELECT CRYPT_PRFL_DECRYPT FROM PS_FS_CC_CNVRT_PRF", &decrypt_profile);
         If None(&decrypt_profile) Then
            &decrypt_profile = "PS_CREDIT_CARD_DECRYPT";
         End-If;
         &CCCrypt.Open(&decrypt_profile);
         &CCCrypt.UpdateData(&FIELD1);
         &FIELD2 = &CCCrypt.Result;
      End-If;
   End-If;
End-Function;