1. Using Oracle Commerce
  2. Secure Your Service
  3. Understand security features

Understand security features

This section describes the security features of Commerce.

Password security

Passwords for administration interface users and shoppers accessing the storefront are implemented using techniques that meet Oracle’s software security standards. See Secure your Commerce logins for information on changing the initial password for the administration interface.

User authentication

Internal users who want to access the administration interface provide their login credentials through an HTTPS request, which obtains an OAuth 2.0 bearer token. The token is then used to verify the authenticity of the user for subsequent requests. Registered shoppers requiring access to secure pages, such as their profile or checkout, are authenticated in the same way. See Configure Shopper Settings for information about configuring the length of a logged-in shopper session.

The administration interface automatically logs users out after a period of inactivity, to comply with the Payment Card Industry Data Security Standard (PCI DSS). By default, this period is 15 minutes. You can change this value by setting the sessionTimeout parameter using the saveAdminConfiguration endpoint in the Admin API. For example, to change the period to 30 minutes: 

PUT /ccadmin/v1/merchant/adminConfiguration  HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json

{
    "sessionTimeout": 30
}

You can set sessionTimeout to any integer from 3 to 120. Note that this timeout period also applies to the access token that is returned when logging into the Admin API with login credentials. See Use the REST APIs for information about logging into the REST APIs.

Payment gateway integrations

As explained in this guide, Commerce has built-in integrations with CyberSource and Chase Paymentech for credit card processing. The security key and account information required for these integrations are encrypted using a symmetric 256-bit AES key. For more information on the secure handling of credit and debit card data, refer to Configure Payment Processing.

Oracle Commerce integrates with PayPal Express Checkout. Calls to PayPal are not encrypted for transmission, as the merchant ID and secret key are never exposed on the storefront. (All calls to PayPal are made over HTTPS and performed on the server side.) For more information, refer to Configure the PayPal integration.

Web Service APIs

Commerce includes REST web service APIs you can use to provide integrations and extensions of the administration interface and the storefront. These APIs are implemented using Jersey (JAX-RS) version1.14.

The APIs use the OAuth 2.0 security framework for data exchange.

Developers register their application in Commerce, which generates a JWT (JSON Web Token) application key. If necessary, the key can be regenerated to revoke existing access. For more information, refer to Register applications.

Customer accounts

Shoppers can choose to become registered customers by creating accounts through your storefront. You configure the password requirements (for example, length and case) on the Shopper Settings page in the Commerce administration interface. It is highly recommended that you familiarize yourself with guidelines for strong passwords and set your storefront’s requirements accordingly.

If necessary, you can revoke account access for all registered customers by expiring all passwords. For more information, refer to Configure Shopper Settings.

Account information for registered customers is stored in a database-backed Commerce profile repository.

Webhooks

As described in this guide, Commerce can use webhooks to send JSON notifications to specified URLs each time an event occurs, for example, each time a shopper completes an order. The webhook contents are signed using HMAC and hashed using SHA256 and a secret key specific to your implementation. The key can be regenerated if necessary. For more information, refer to Use Webhooks.

PCI DSS compliance

Not all external systems you integrate with Oracle Commerce will comply with the Payment Card Industry Data Security Standard (PCI DSS). Oracle Commerce provides webhooks that exclude payment details from the order data you send to systems that do not comply with PCI DSS. For more information, refer to Understand webhooks and PCI DSS compliance.

CORS support

For security purposes, web browsers implement the same-domain policy, which prevents JavaScript on a page served from one domain from accessing resources on another domain. In some cases, you may want to selectively override this policy to allow specific domains to access data on your sites.

To make this access possible, Commerce supports CORS (cross-origin resource sharing), which is a standard mechanism for implementing cross-domain requests. For more information, refer to CORS support.