Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle encrypted card details #9

Open
greydnls opened this issue Mar 30, 2015 · 6 comments
Open

Handle encrypted card details #9

greydnls opened this issue Mar 30, 2015 · 6 comments
Labels
enhancement

Comments

@greydnls
Copy link
Contributor

From @alexw23 on February 18, 2015 21:56

Building out the eWay's new Rapid 3.1 Direct API. They have functionality to support client side encryption for those who don't want to forgo PCI-DSS compliance.

http://api-portal.anypoint.mulesoft.com/eway/api/eway-rapid-31-api/docs/client-side-encryption

The issue is I can't validate card as it doesn't contain any valid card details. This is what the card details turn up like.

["EWAY_CARDNUMBER"]=> string(353) "eCrypted:LkY4WI6HL/5JHWSLA4KIUnaGZCshOjxxQduNCkb59H3ZJCmKP3XoqsSxPbKak5Wr8VjQjGBV47fSsddLE+ks92gMBkj49QkrfjmMDUUrBl01biwNjNZ45Q7wQwi3UGBjTL19QIT5NLtzjXdwMfDl381ij0iR6Xc00fqG/OGPCg/2jsqDvuctRtQeJ0LhNA5Y1dJLH8BlY/DJL1L1K+cmg8bnM4InTXWUmTg/oTF4g+/kYdwYCBd6E64B+enZcuATFii79Jwz/EGfZcWGiyGjV2gpwCppSoIdXwVSrRu8l6tOnGXbqxxCNJpSvr0XLh9NzNulPr9hCKXP7cYxoyHnAA==" 
["EWAY_CARDCVN"]=> string(353) "eCrypted:KuvL5OuwKqfIyXBwMPTRQEw1LQFAAa1QJ5fI1oaj5Gk7Kr9TwjLKPC2tok7P7NfSlfvRMcAY3/lbx+zzKM9BYoDzDKHqezM8KutjR8DJ2NbPxs+ZhDoh9IdrYen7/dxIrQk4v9SmHAPHbGvF25jFEeHAnrg2ydI8NfJEqx83dSkgHzhLbXHxKnVB69LblzL0V+Nt3Qqy+UE7cfkU69ACuBJ1MfLrUXenLPHgdZWCCazGfhHa4kYBONXAgr90bb01N13KKP1KiZQIcGZt7XIB21CSTYDQ3twMXY/VO2H1A7yRFRRw/HpFsC7V6XAUdAc8IWHWFCBg6AbYp58cX/3ayA==" }

Copied from original issue: thephpleague/omnipay-common#32
@greydnls greydnls mentioned this issue Mar 30, 2015
Closed
@incarnate
Copy link
Contributor

I think what @alexw23 is after is a way to handle the encrypted card details with the CreditCard object. I'm not sure if any other gateway handles card details like this, which I'd imagine would be needed for a change to the generic omnipay-common library.

Given most of the card data is encrypted, the only test that would work in CreditCard's validate() function is the expiry data tests. While the validate function isn't designed to be called outside the gateway, a possible solution may be to decompose the function into component parts (validateExpiry etc.) - this could also be a means to adding some extra validation checks like for issue number & start date which aren't always required.

I guess it's a question as to how in-scope such changes would be for Omnipay, or if validation should be taken care of elsewhere.

@alexw23
Copy link
Contributor

alexw23 commented Mar 31, 2015

@incarnate I guess it really matters as to whether or not CSE will be a future trend in an effort to bypass PCI compliance.

Maybe the best method would be to have an encryptedCardNumber and encryptedCvc on the CreditCard object. This abstract field can then be used for future implementations of CSE.

In addition we could pass along the first 6 digits and last 4 digits which could later be pulled (when storing payment details to the database). This would also allow for getBrand and other similar functions to be used. As we have the first6/last4 the getNumberMasked function would remain to work (with some minor refactoring).

@eileenmcnaughton
Copy link
Contributor

My feeling is that CSE WILL be a future trend - isn't that what Stripe does? I think Authorize.net offers it too. Maybe Payment Express as well

@garhbod
Copy link

garhbod commented May 3, 2017

Does anyone have a fix for this yet? Maybe adding a public function to the CreditCard object called setEncryptedNumber That sets the number parameter but preserves non-numeric characters from being stripped out

@incarnate
Copy link
Contributor

No fix as yet.
There is issue thephpleague/omnipay-common#57 to provide a function for this which Graham flagged for version 3. I can see an alpha for v3 was released last week, so a good time to follow up there.

eileenmcnaughton added a commit to eileenmcnaughton/omnipay-eway that referenced this issue Nov 26, 2018
@eileenmcnaughton
Handle encrypted credit card details where supplied thephpleague#9
569ea14 
Eway already supports encryptedCardNumber as a paramter. However, that relies on the calling
code 'knowing' whether the card has been encrypted - which would not happen if a script blocker was
in play and is hard for the calling code to adapt to generically.

However, at this point in the code we know that if it is following the eway format for being encrypted
then it has been encrypted. I would note that it is supported by the Request object
not the credit card class but
a) that is already the case, this just makes it a bit simpler to use and
b) the encryptedCardNumber does not hold sensitive data in the same way that the 'card'
parameters do.

The upstream plan appears to be to have another class to handle this - in which case this bit of handling code
and the code that interacts with it could be updated later to reflect that
@eileenmcnaughton
Copy link
Contributor

I've added a PR which provides a way forwards on this with a very small amount of code - #29

It may be that the upstream solution suggests a better change later - but I don't think that should hold this up as it would stay internal to omnipay-eway and be invisible to the calling function

eileenmcnaughton added a commit to eileenmcnaughton/omnipay-eway that referenced this issue Nov 26, 2018
@eileenmcnaughton
Handle encrypted credit card details where supplied thephpleague#9
160650a 
Eway already supports encryptedCardNumber as a paramter. However, that relies on the calling
code 'knowing' whether the card has been encrypted - which would not happen if a script blocker was
in play and is hard for the calling code to adapt to generically.

However, at this point in the code we know that if it is following the eway format for being encrypted
then it has been encrypted. I would note that it is supported by the Request object
not the credit card class but
a) that is already the case, this just makes it a bit simpler to use and
b) the encryptedCardNumber does not hold sensitive data in the same way that the 'card'
parameters do.

The upstream plan appears to be to have another class to handle this - in which case this bit of handling code
and the code that interacts with it could be updated later to reflect that
eileenmcnaughton added a commit to eileenmcnaughton/omnipay-eway that referenced this issue Nov 26, 2018
@eileenmcnaughton
Handle encrypted credit card details where supplied thephpleague#9
4221cb9 
Eway already supports encryptedCardNumber as a paramter. However, that relies on the calling
code 'knowing' whether the card has been encrypted - which would not happen if a script blocker was
in play and is hard for the calling code to adapt to generically.

However, at this point in the code we know that if it is following the eway format for being encrypted
then it has been encrypted. I would note that it is supported by the Request object
not the credit card class but
a) that is already the case, this just makes it a bit simpler to use and
b) the encryptedCardNumber does not hold sensitive data in the same way that the 'card'
parameters do.

The upstream plan appears to be to have another class to handle this - in which case this bit of handling code
and the code that interacts with it could be updated later to reflect that
eileenmcnaughton added a commit to eileenmcnaughton/omnipay-eway that referenced this issue Nov 26, 2018
@eileenmcnaughton
Handle encrypted credit card details where supplied thephpleague#9
724b023 
Eway already supports encryptedCardNumber as a paramter. However, that relies on the calling
code 'knowing' whether the card has been encrypted - which would not happen if a script blocker was
in play and is hard for the calling code to adapt to generically.

However, at this point in the code we know that if it is following the eway format for being encrypted
then it has been encrypted. I would note that it is supported by the Request object
not the credit card class but
a) that is already the case, this just makes it a bit simpler to use and
b) the encryptedCardNumber does not hold sensitive data in the same way that the 'card'
parameters do.

The upstream plan appears to be to have another class to handle this - in which case this bit of handling code
and the code that interacts with it could be updated later to reflect that
eileenmcnaughton added a commit to eileenmcnaughton/omnipay-eway that referenced this issue Feb 18, 2019
@eileenmcnaughton
Handle encrypted credit card details where supplied thephpleague#9
801e656 
Eway already supports encryptedCardNumber as a paramter. However, that relies on the calling
code 'knowing' whether the card has been encrypted - which would not happen if a script blocker was
in play and is hard for the calling code to adapt to generically.

However, at this point in the code we know that if it is following the eway format for being encrypted
then it has been encrypted. I would note that it is supported by the Request object
not the credit card class but
a) that is already the case, this just makes it a bit simpler to use and
b) the encryptedCardNumber does not hold sensitive data in the same way that the 'card'
parameters do.

The upstream plan appears to be to have another class to handle this - in which case this bit of handling code
and the code that interacts with it could be updated later to reflect that
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@eileenmcnaughton @incarnate @greydnls @alexw23 @garhbod