Thread: Decrypting the CC on Customer WSI request

Upon using the WSI; upon getting the (buyer)customer xml result from WSI request, if the CC full number is returned encrypted, does the WSI have exposed decryption routine to decrypt CC number data?

This is fully supported (decrypt on WSI retrieval)...and documented in our WSI manual.

High traffic sites feeding into their own custom back-office/fulfillment systems needed this, so we added it about 9 mos ago.

see http://www.aspdotnetstorefront.com/manual/wsi for examples

i see this on a sample get orders (by ordernumber criteria) as response:

- on the top level order parent node i see this.

<Order OrderNumber="100000" ShowCardNumber="">

what is that node attrib - ShowCardNumber ???

- so under the child node of "order" - is this the full CC number node ???

<CardIssueNumber></CardIssueNumber>

- then i see this node here:

<Crypt>1</Crypt>

- is this a "control" type of node to return the CC number in decrypted form ???

- so if i would have to WSI GetOrder request, what would my request look like compared below ??? :


<AspDotNetStorefrontImport Verbose="false">

<Get Table="Orders" Name="Get1">

<XmlPackage>DumpCustomer.xml.config</XmlPackage>

<OrderBy>OrderDate asc</OrderBy>

<Criteria OrderNumber="11111"/>

</Get>

</AspDotNetStorefrontImport>

thx again for your prompt reply

Yup, very close. just missed how to specify show CC #'s:

Add this:

Code:

    <XmlPackage RuntimeParams="ShowCardNumber=true">dumporder.xml.config</XmlPackage>

----

Here is the full example 1 from WSI Get command documentation in the manual:

This example returns all "New" orders, and uses the default DumpOrder XmlPackage to format each order (Shape the output Xml Data) as it's returned. Multiple orders can be returned. The XmlPackage fires on "each" row in the result set to do formatting and processing. We are also passing in a RunTime param to tell the XmlPackage additional instructions.

Code:

<AspDotNetStorefrontImport Verbose="false">
  <Get Table="Orders" Name="Get1">
    <XmlPackage RuntimeParams="ShowCardNumber=true">dumporder.xml.config</XmlPackage>
     <OrderBy>OrderNumber asc</OrderBy>
     <Criteria IsNew="1" />
</Get>
</AspDotNetStorefrontImport>

If you wanted to you could add a new command to WSI that hides all this, but you'd need source to do that (e.g. <GetNewOrdersWithCC/>)...

This example also shows how XmlPackages are used/invoked by WSI often-times, to allow you to shape the resulting output Xml data. You can write your own new XmlPackages and upload them to the site, and invoke them also via WSI. This allows an almost unlimited way to get at data in the db, and then shape the resulting Xml.

For example. You could upload DumpOrderSlim.xml.config that just returned ordernumber,customername, etc...

that's all possible. then invoke that via WSI.

Same applies for almost any other table in the DB (Customer, Orders, Shopping Cart, Products, Entities, etc)...

In this case the ShowCardNumber attribute on the Xml can be ignored in the return. not really needed.

Also, remember, according to PABP, once you export full CC #'s from the encrypted db, you are assuming responsibility for the proper storage, management, encryption, deletion, and security of that information yourself (on whatever system is pulling them).

...although I am not seeing a result set even tho the OrderNumber is valid (the order numbers I was testing under is viewable via the admin sitemap view).

- Here is what the request I was sending looks like now:

Code:

 
<AspDotNetStorefrontImport Verbose="false">
 
<Get Table="Orders" Name="Get1">
 
<XmlPackage RuntimeParams="ShowCardNumber=true">DumpCustomer.xml.config</XmlPackage>
 
<DefaultWhereClause>OrderNumber=[sap_order_number]</DefaultWhereClause>
 
<Criteria OrderNumber="[sap_order_number]" />
 
<OrderBy>OrderNumber asc</OrderBy>
 
</Get>
 
</AspDotNetStorefrontImport>

Is there something else I need to troubleshoot before sending this request to get results via WSI ???

Again thx a mill for a prompt reply.

That request should work after you've replaced [sap_order_number] with the valid order number. It's formatted correctly.

Code:

<?xml version="1.0" encoding="utf-8"?>
<AspDotNetStorefrontImportResult Version="" DateTime="7/21/2008 9:22:50 AM">
  <Verbose Message="Import Starting" />
  <Verbose Message="Processing Get, Table=Orders, IDColumn=OrderNumber,    XmlPackage=DumpCustomer.xml.config, DefaultWhereClause=, OrderBy=OrderNumber asc" />
  <Get Table="Orders" Name="Get1" XmlPackage="DumpCustomer.xml.config" IDColumn="OrderNumber" DefaultWhereClause="" OrderBy="OrderNumber asc">
  <Criteria OrderNumber="100168" />
  <Verbose Message="SQL=select OrderNumber from  Orders  with (NOLOCK)  where OrderNumber=100168 order by OrderNumber asc" />
  </Get>
  <Verbose Message="Import Completed" />
</AspDotNetStorefrontImportResult>

On the result set, I need for ALL ROWS TO BE RETURNED, tho this one the SQL query seems to only return the OrderNumber. what do I need to do with this Orders request to get to what I need ???

Unfortunately, I am still not getting result set when I expect that I should, pls HELP.

Your DumpCustomer.xml.config is not prepared to handle that query. I think what you're looking for is DumpOrder. Here. Try this import and it should be fine:

Code:

<AspDotNetStorefrontImport Verbose="false">
<Get Table="Orders" Name="Get1">
<XmlPackage RuntimeParams="ShowCardNumber=true">DumpOrder.xml.config</XmlPackage>
<DefaultWhereClause>OrderNumber=100001</DefaultWhereClause>
<Criteria OrderNumber="100001" />
<OrderBy>OrderNumber asc</OrderBy>
</Get>
</AspDotNetStorefrontImport>

see the manual example, you don't need both of:

<DefaultWhereClause>OrderNumber=100001</DefaultWhereClause>
<Criteria OrderNumber="100001" />

they are redundant. the example I posted should workk, if you give it a valid orderNumber or use an IsNew=1 clause as in other examples in the manual, etc.

...as you have specified:

Code:

<AspDotNetStorefrontImport Verbose="false">
  <Get Table="Orders" Name="Get1">
    <XmlPackage RuntimeParams="ShowCardNumber=true">dumporder.xml.config</XmlPackage>
    <DefaultWhereClause>OrderNumber=[sap_order_number]</DefaultWhereClause>
    <OrderBy>OrderNumber asc</OrderBy>
    <Criteria IsNew="1" />
</Get>
</AspDotNetStorefrontImport>

I got everything I needed to build the customer data. Thx to you both.

I got one more Q?

I am getting the credit card number blanked out even tho during SF checkout I choose credit card visa and entered a cc#, but when I API for the affected ordernumber I am getting the cc# as empty string/blank.

I am using the node -->

Code:

<CardIssueNumber>n..</CardIssueNumber>

But I get it as blank. If this is the correct node I reference through the API result, what should I check to make sure this has data value??? thx in advance.

can you go verify that the CC # is indeed in the db record (encrypted of course). The customer could have overrideen storage of CC (required by PABP) and forced it's "non" storage. This is an instance where Visa PABP and processing cards "offline" is at conflict.

OK I have not checked the Orders table in columns "CardNumber" or "CardIssueNumber" but I did checked the AppConfig:StoreCCInDB and that is set to "false", should be "true".

Anyways, I think I will be settled from here. Thanks a million for all the insights to resolving this problem. You guys rocked!

Sorry to hijack a thread after the OP has apparently fixed his problem, but I'm trying to accomplish the same task and am running into similar problems and can't seem to figure it out.

My call is:

<AspDotNetStorefrontImport Verbose="false" MLDNN="true">
<Get Table="Orders" Name="Get1">
<XmlPackage RuntimeParams="ShowCardNumber=true">DumpCustomer.x ml.config</XmlPackage>
<DefaultWhereClause>OrderNumber=100000</DefaultWhereClause>
<OrderBy>OrderNumber asc</OrderBy>
</Get>
</AspDotNetStorefrontImport>

and the response I receive is:

<?xml version="1.0" encoding="utf-8"?>
<AspDotNetStorefrontImportResult Version="" DateTime="6/25/2009 4:09:18 PM">
<Get Table="Orders" Name="Get1" XmlPackage="DumpOrder.xml.config" IDColumn="OrderNumber" DefaultWhereClause="OrderNumber=100000" OrderBy="OrderNumber asc">
<Order OrderNumber="100000" ShowCardNumber="true" />
</Get>
</AspDotNetStorefrontImportResult>

Any guidence is appreciated.

Why are you using DumpCustomer on a call to get order info?

I'm not quite sure what you're trying to do.

Is there anyway to decrypt the credit card number, we don't have WSI here just StoreFront. As we do not manage the database server we cannot place WSi on the server (we are currently in the process of taking ownership of the server the DB sits on)

Not without using native AspDotNetStorefront methods built into AspDotNetStorefront. The encryption routines are hidden and not available, per PABP/PA-DSS/VISA/MC requirements. In the admin section, admin users with the proper permissions have the ability to view credit card numbers within the admin section if they've been stored, but you can't just decrypt the card numbers and export them to a document. These days, unless you have very very specific requirements, there is no reason to store the CC number. Most modern payment gateways will handle anything you throw at them and are capable of processing transactions without you needing to store the CC number. If you absolutely must store the CC number, make sure you're hosting environment is fully PCI compliant and that you are following all of our security best practices.

Ok I am entering this code

<AspDotNetStorefrontImport Verbose="false">
<Get Table="Orders" Name="Get1">
<XmlPackage RuntimeParams="ShowCardNumber=true">dumporder.xml. config</XmlPackage>
<XmlPackage>DumpCustomer.xml.config</XmlPackage>
<OrderBy>OrderDate asc</OrderBy>
<Criteria OrderNumber="129040"/>
</Get>
</AspDotNetStorefrontImport>

and getting in a new browser window the following

<?xml version="1.0" encoding="utf-8"?>
<AspDotNetStorefrontImportResult Version="" DateTime="26/11/2009 17:35:01">
<Get Table="Orders" Name="Get1" XmlPackage="dumporder.xml.config" IDColumn="OrderNumber" DefaultWhereClause="" OrderBy="OrderDate asc">
<Criteria OrderNumber="129040" />
<Order OrderNumber="129040" ShowCardNumber="true" />
</Get>
</AspDotNetStorefrontImportResult>

I'm very new to WSI so where exactly is the credit card number?.....

You could try this:

HTML Code:

<AspDotNetStorefrontImport Verbose="false">
<Get Table="Orders" Name="Get1">
<XmlPackage RuntimeParams="ShowCardNumber=true">dumporder.xml.config</XmlPackage>
<DefaultWhereClause>OrderNumber=[100137]</DefaultWhereClause>
<OrderBy>OrderNumber asc</OrderBy>
<Criteria IsNew="1" />
</Get>
</AspDotNetStorefrontImport>

Hi

This comes back with "This Operation has timed out".

I'm going to see if I can retouch the web.config file to docule check all the WSI settings.

I now get this

System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE842: The service pipeline could not be created. ---> System.Configuration.ConfigurationErrorsException: WSE032: There was an error loading the microsoft.web.services3 configuration section. ---> System.Configuration.ConfigurationErrorsException: WSE040: Type AspDotNetStorefront.ASPDNSFUsernameTokenManager could not be loaded. Please check the configuration file. (C:\inetpub\wwwroot\Web\web.config line 192)
at System.Configuration.BaseConfigurationRecord.Evalu ateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult)
at System.Configuration.BaseConfigurationRecord.Evalu ate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeObject, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSe ctionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSe ction(String configKey, Boolean getLkg, Boolean checkPermission)
at System.Configuration.BaseConfigurationRecord.GetSe ction(String configKey)
at System.Web.HttpContext.GetSection(String sectionName)
at Microsoft.Web.Services3.Configuration.WebServicesC onfiguration.get_Current()
--- End of inner exception stack trace ---
at Microsoft.Web.Services3.Configuration.WebServicesC onfiguration.get_Current()
at Microsoft.Web.Services3.Configuration.WebServicesC onfiguration.get_MessagingConfiguration()
at Microsoft.Web.Services3.WseProtocol.ModifyInitiali zedExtensions(PriorityGroup group, SoapExtension[] extensions)
at System.Web.Services.Protocols.SoapServerProtocol.I nitialize()
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---

Any ideas?

You need to open up the ASPDNSFUsernameTokenManager.cs file, the #define statement needs to be added there. Find the '#if WSE3' line in the App_Code\ASPDNSFUsernameTokenManager.cs file and add the following line immediately above it:

HTML Code:

#define WSE3

Thanks a lot! This worked.