Zed E-Commerce and WebCRM 7.5. Release Notes 11/29/2011



Similar documents
zed E-Commerce Release Notes

Table of Contents. Welcome Login Password Assistance Self Registration Secure Mail Compose Drafts...

MRU Secure Remote Access Service (SRAS) External User Guide

Sale Grammar School Remote Desktop Services User Instructions

Instructions For Opening UHA Encrypted

User Guide. The AMF's File Transfer Service (FTS)

MRU Secure Remote Access Service (SRAS) External User Guide

Web Conferencing Version 8.3 Troubleshooting Guide

Catapult PCI Compliance

Implementation Guide

Application Security Policy

VPN Web Portal Usage Guide

New Online Banking Guide for FIRST time Login

CUNY TUMBLEWEED (SECURE TRANSPORT) USER GUIDE

Startup guide for Zimonitor

PUBLIC. SAP Business One E-Commerce and Web CRM Administrator s Guide. Solutions from SAP. SAP Business One E-Commerce and Web CRM 6

Credit Card Security

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PA-DSS Implementation Guide: Steps to ensure that your POS system is secure

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Are you having trouble logging in with a Username that contains special characters or spaces?

PCI Compliance Updates

RMFT Web Client User Guide

Sophos Mobile Control SaaS startup guide. Product version: 6

SpringCM Troubleshooting Guide for Salesforce

Installation and Setup Guide

Sophos UTM. Remote Access via IPsec Configuring Remote Client

Payment Application Data Security Standard

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

How to complete the Secure Internet Site Declaration (SISD) form

Vendor User Accounts managing your NAP User Account

Contents. Before You Install Server Installation Configuring Print Audit Secure... 10

Experian Secure Transport Service

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

PA-DSS Implementation Guide. Version Document Owners. Approval Date: January 2012

How To Sync Google Drive On A Mac Computer With A Gmail Account On A Gcd (For A Student) On A Pc Or Mac Or Mac (For An Older Person) On An Ipad Or Ipad (For Older People) On

Citrix : Remediation - MAC

Recommended Browser Setting for MySBU Portal

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

SECURITY DOCUMENT. BetterTranslationTechnology

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

Frequently Asked Questions for logging in to Online Banking

paypoint implementation guide

Infor Xtreme Browser References

RBackup Server Installation and Setup Instructions and Worksheet. Read and comply with Installation Prerequisites (In this document)

Using Access.Centegra.Com (Physician Access) Secure Remote Access from the Internet

NeuralStar Installation Guide

Criteria for web application security check. Version

Unipass Secur Client. User Guide v1.2

Release Notes for Websense Security v7.2

Using desktop ANYWHERE

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Vanguard Secure Service (VSES) User Guide

isupplygw Site Login Troubleshooting

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

DPH TOKEN SELF SERVICE SITE INSTRUCTIONS:

MSGCU SECURE MESSAGE CENTER

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

Single Sign-On Administrator s Guide

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

NETWRIX IDENTITY MANAGEMENT SUITE

MY HELPDESK - END-USER CONSOLE...

Resource Guide INSTALL AND CONNECT TO CISCO ANYCONNECT VPN CLIENT (FOR WINDOWS COMPUTERS)

Payment Card Industry (PCI) Data Security Standard

Instructions for Configuring Your Browser Settings and Online Security FAQ s. ios8 Settings for iphone and ipad app

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Advantage for Windows Copyright 2012 by The Advantage Software Company, Inc. All rights reserved. Client Portal blue Installation Guide v1.

Bode Collection Point Electronic DNA Sample Information Program Technical Specifications

Manual for configuring NIC VPN in Windows OS

FAQ. How does the new Big Bend Backup (powered by Keepit) work?

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

Sophos Mobile Control user help. Product version: 6.1

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

NETePay 5.0. FDMS Nashville. Installation & Configuration Guide. Part Number:

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

HHS Remote Access. End User Reference Guide VERSION 2.2

Novi Survey Installation & Upgrade Guide

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

What is WS_FTP? How WS_FTP Works

Payment Application Data Security Standards Implementation Guide

Request Manager Installation and Configuration Guide

Payment Card Industry (PCI) Data Security Standard

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

MyanPay API Integration with Magento CMS

Perceptive Intelligent Capture Solution Configration Manager

CDUfiles User Guide. Chapter 1: Accessing your data with CDUfiles. Sign In. CDUfiles User Guide Page 1. Here are the first steps to using CDUfiles.

Reference Guide for WebCDM Application 2013 CEICData. All rights reserved.

Configuring Internet Explorer for Voyager on Client Computers

Sophos UTM. Remote Access via PPTP Configuring Remote Client

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

How To Login To A Website On A Pc Or Mac Or Mac (For Pc Or Ipad)

MyNet FAQ s GETTING STARTED: Q: What is the MyNet website address? A:

BT Lancashire Services

Installation and Administration Guide

Baltimore County Public Schools Department of Information Technology Network Support Services System Engineering Document

Transcription:

Zed E-Commerce and WebCRM 7.5 Release Notes 11/29/2011

PA-DSS 2.0 Validated What is PA-DSS? (Payment Application Data Security Standard) The global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). [1] PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS). To whom does it apply? The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.

PCI and PA-DSS Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor.

Changes required for validation - Storage and handling of credit card details - Encryption - Logging - User Authentication - Plug-in available to force use of https for all login, account details, and checkout traffic - Application or server level security against sql injection, cross-site scripting, buffer overflows

Storage and handling of credit card details Storage of the credit card number, CVC(card verification code) in the e-commerce and webcrm database has been removed. During checkout, credit card details are encrypted using dynamic encryption and only stored in web server session memory. After checkout completes or times out from inactivity, the data is removed. Wallet functionality(ability for customer to store payment information in their profile) has also been removed. Each time a customer checks out they will need to enter their credit card data, or choose another payment method.

Encryption Private keys are no longer used for data encryption in either the installer, synch manager or API. PA-DSS requires that at no time is a key stored in plain text, no one person can know the entire key, and in the event of a personnel change all keys must be changed. Users passwords are hashed Instances.xml connection strings are encrypted using dynamic key Web.config connection string is still optionally encrypted per choice during instance creation using IIS encryption Session cookies are encrypted

Logging Enhanced logging of user and super user actions and changes to system configuration. - Order placed - Bad password - Account locked out - Role definition changed and assigned - Credit Card Gateway config changed - Log viewed - Password changed

User Authentication Requirement of strong passwords, inactivity timeouts, and password expiration for all users. Unique userid s are enforced. No two users can use the same userid for login The value for email address is no longer read during login. A user can only use their email address for login when it is entered into the userid field when creating a new account

User passwords and synchronization Internal B1 users passwords are no longer displayed in plain text in a UDF in B1 and are not synchronized to B1. Business Partner Contact passwords are not updated in B1 after they have been changed in E-Commerce. Random passwords are assigned to Bp Contacts and Internal users upon initial synch.

User passwords and synchronization All users passwords can be changed by a super user, or with the Reset User program After a user logs in for the first time, or after their password has been changed by the Reset User tool, they will have to choose a new, strong password. Bp Contacts passwords can be set before the initial synch, after they login for the first time, a password change is required. Basically the requirement from PA-DSS is that at no time is any users password stored in plain text, and is only known to the user.

Upgrades Card numbers, expiry and CCV - Installer will decrypt, update using new dynamic key, then overwrite 3x to ensure original data is not retrievable via data forensics Users passwords are decrypted and then re-encrypted to one-way hash Private key is removed from instances.xml after data has been upgraded Web.config is recreated with private key removed Synch manager does not do any encryption, private key is removed from synchconfig.xml during upgrade step of running a synch

Compatibility Solution Component Compatible Notes SAP Business One 8.8.1 PL9 SAP Business One 8.8 PL22 Windows Server 2003 SP2 32-bit with IIS 6 64-bit was not tested, however no 64-bit related issues found with Server 2008 64-bit Windows Server 2008 R2 64-bit with IIS 7.5 Windows 7 (any edition) 32 or 64-bit with IIS 7 Windows Vista 32-bit or 64-bit with IIS 7 Not tested This was not tested, however, as Server 2008 uses IIS 7, there should not be any issues Windows XP SP3 32-bit or 64-bit with IIS 5.1 No SQL 2005 32-bit* 64-bit was not tested, however no 64-bit related issues found with Server 2008 64-bit SQL 2008 R2 64-bit* Google Chrome 10 Firefox 8 Internet Explorer 8 and 9 Version 8 may have minor display issues in the Admin Apple Safari 5

Changes Removed field for private key on instance list screen Removed private key from instance records in instances.xml Removed private key from web.config Delete verification code from userswallet and orderpayment tables Drop userswallet table Disable Back and Upgrade buttons while upgrade or installation is in process Updated icon for system task bar and title bar, desktop shortcut, and start menu item Added password validation to Reset User New background image in setup.exe program Remove private key parameter from NPAccount constructor Removed max user functionality from My Account > Fixed issue where order confirmation emails weren t being sent if account had more than 500 orders Fixed issue where order confirmation email error prevents remaining emails from sending Fixed issue where Messaging service does not work and throws event log error (object reference error) upon startup Commas not allowed in usernames Functionality to prevent password re-use added Implemented password expiration Prohibit auto-complete on password field on login.aspx Users must change password upon first login Queueing BP with Add multiple times will duplicate tax exemption records

Changes All passwords are reset upon forgot password request, removed config option Creating an account also now logs user in Prevent ReturnTo URL parameter from redirecting to external page Insecure webflow will redirect to non-ssl Prevent login and checkout pages from caching in the browser Webflow entries now trim trailing spaces Require that passwords contain at least one non-numeric character Users can no longer login with email address, only userid(which could also happen to be their email address) Removed password fields from user edit screen on my account section Removed username from change password screen Not synching passwords back to B1 Fixed issue with deleting user Fixed issue with renaming contact User can request password using userid Logout deletes all session data Including plug-in to enforce https on all login, checkout, my account pages

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information