We are currently using Magento Community 1.8.1 integrated with Authorize.net to handle our credit card transaction. We are employing AIM and have some questions regarding the handling of credit card data. We currently use MageStore's One Step Checkout extension to collect the credit card and customer date for an order and then it is passed to Authorize.net for processing.
Frankly, we are not sure of the data flow nor if any sensitive data is being stored in the Magento database, and if it is all the tables that are being used to do so. First and foremost is whether or not Magento is storing persistent credit card data in its database?
Our developers have identified two tables where credit card data is stored: sales_flat_quote_payment and sales_flat_order_payment. In neither of these tables does credit card or customer info appear in it's entirety. In sales_flat_quote_payment there are the last four digits of the credit card and everything is NULL in sales_flat_order_payment. So my second question is: are there additional tables where credit card data is being stored?
Ideally, we would prefer not having any sensitive credit card data in our back-end and would prefer that it all be managed and controlled by Authorize.net. We have been advised that implementing CIM (Customer Information Manager) would enable us to do that and would also mitigate a majority of the PCI compliance challenges by placing them in Authorize.net's court.
Any help here would be appreciated in terms of understanding how the default Magento/AIM functionality plays the Authorize.net and whether or not we are currently exposed to any kind of data theft with our current configuration would be greatly appreciated.
Solved! Go to Solution.
First turn off this feature. You never want to store data!
Your cc are stored here sales_flat_order_payment and could be in other tables. you will want your developer to check to make sure you have removed any and all data from Credit Cards
One more thing. The default CC storing does not tokenize it stores it as clear text so it is important to remove that data.
Braintree has a great extension that will allow you to accept CC and tokenize them
For online payment gateway like auth.net, magento does not store CC data in DB, its passed to payment gateway directly. Magento will only store encrypted full cc number for methods like saved cc.
Thanks...is this the default behavior or must we configure it to do this.?This is where part of the confusion lies. We are not sure what Magento is configured to do. New developers are on board and our previous developer left no documentation so we are reverse engineering what we have to understand how it works.
Its the default behavior, if you check Mage_Payment_Model_Method_Cc, you will notice there is a flag $_canSaveCc controls whether saving cc number, in saved cc its true, in most other payment class, this flag is false.
Magento definitely has PCI in mind.
Thanks for the info Brent. Do you know where we might find documentation that identifies all of the tables that might store this data? Our developers are doing a pretty good gob of reverse engineering our system, however it would be helpful if they had some documentation which identified tables that held this data, if for nothing else, a sanity check. Our greatest challenge is identifying them to make sure we don't have any of this sensitive data hiding any place. I'm not a developer nor do I have much exposure to Magento. However I can ask the right questions. Our main objective is to have all of our CC data stored in Authorize.net's CIM space.