Manual Processing

Manual Processing is designed for merchants that already have the ability to run credit card transactions manually, through a credit card terminal or by other means.

In order to handle e-commerce transactions for such a merchant, in a PCI compliant and secure way, we have developed the Manual Processing module for Shopp.

Security

To aid merchants in making their Shopp with Manual Processing secure, and PCI compliant, the Manual Processing add-on for Shopp only stores sensitive card data in a PCI compliant way, and only until the transaction is run. The PCI DSS requirements are:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security

Manual Processing PCI

Most of the above requirements are responsibilities of the merchant and the hosting provider. Shopp with Manual Processing does satisfy some of these requirements.

  • Protect stored cardholder data
    Using strong asymmetric 1024-bit RSA encryption to store sensitive card data on the server prior to authorization, your customer’s data can not be decrypted by a third-party unless they have the encrypted data and access to the merchant’s private decryption key.
  • Protect stored cardholder data
    The private decryption key is never stored on the same server as the public encryption key. This means that even if your server is compromised, the existing stored data can not be decrypted.
  • Protect stored cardholder data
    Encrypted sensitive data is destroyed after one-time decryption. In order to ensure that your customer’s data is never kept after the transaction is run, the encrypted sensitive data is automatically destroyed on the server immediately as it is decrypted for one-time viewing by the merchant. After the sensitive data has been destroyed, there is no way to gain access to either the encrypted or decrypted content again.
  • Encrypt transmission of cardholder data across open, public networks
    SSL is required, and Sensitive data is never transmitted over a non-secured connection, and remains encrypted until it is programmatically decrypted on the merchant’s browser.
  • Restrict access to cardholder data by business need-to-know
    Even if a non-privileged user were to gain access to the merchant’s browser, they must be authenticated as the merchant’s account in WordPress in order for Shopp to serve the encrypted content. This means that merely having physical access to your computer is insufficient to compromise your customer’s data.
  • Restrict access to cardholder data by business need-to-know
    Shopp enforces Administration over SSL in the WordPress admin when Manual Processing is activated to protect transmission of the merchant’s password to WordPress by ensuring that it will be transmitted securely to the server. In this way, a third-party who may have access to your network may not obtain access to the merchant’s login by listening (sniffing) your network.
  • Restrict access to cardholder data by business need-to-know
    Shopp 1.1 provides the ability to granularly control which WordPress users have access to sensitive financial information by implementing full [http://codex.wordpress.org/Roles_and_Capabilities Roles and Capabilities] support and new Shopp specific capabilities. By default only the Administrator and Shopp Merchant roles have access to the encrypted data of Manual Processing orders. All other WordPress users who have access to Shopp Orders (have shopp-orders capability) will only have PCI compliant redacted card holder information.

Requirements

> Although Internet Explorer 8 or later will work with Manual Processing, Internet Explorer is not recommended for use as the merchant browser for performance and security reasons.

  • Website running in SSL mode with a dedicated IP.
  • PHP must be compiled with OpenSSL support enabled.
  • PHP OpenSSL must be configured with 1024-bit key default, see OpenSSL installation instructions for more information.
  • Setup requires Administration over SSL, and this is enforced after Manual Processing is enabled.
  • For the merchant browser, you must use Opera 10.50, Google Chrome 5, Apple Safari 4, Mozilla Firefox 3.6, Internet Explorer 8, or a later version of these browsers.
  • The merchant computer browser must be located behind a hardware firewall, and inaccessible from the Internet for security reasons, and this system must have installed Anti-virus and Anti-spyware software with current and up-to-date anti-malware patterns installed.
  • The server and merchant systems must be located in a physically secured environment, and on different secured networks.

Installation

  • Uncompress the add-on files
  • Upload the folder (directory) and all its contents to your Shopp add-ons folder (directory) under: .../wp-content/shopp-addons

Setup

> Important These steps should be performed by the merchant/administrator from the computer/browser that will be used to decrypt sensitive card data for authorization.

  1. Add ManualProccessing to your Payment Settings under the WordPress AdminShoppSystemPayments
  2. Click Generate Keys to create the server’s public encryption key, and the merchant private key will be installed in the browser and download for backup purposes. Keep this backup in a secure location. It will be needed to restore the private key to the merchant browser, or to migrate the private key to other browsers for users with a business need to access cardholder data.
  3. Click Finish to save the public key to the server.

Troubleshooting

Key Creation Fails

If the key-pair creation fails, it is possible that your hosting provider does not have an OpenSSL configuration installed for use with PHP. Contact your system administrator or reference Open SSL Configuration and OpenSSL Installation on PHP.

If you have a valid openssl configuration file, but are unable to change this configuration on your hosting provider, you may use the SHOPP_OPENSSL_CONF macro to specify one as below.

In your wp-config.php file in your WordPress root, add the following line:

define('SHOPP_OPENSSL_CONF', '/path/to/your/openssl.conf');

If this openssl configuration file is valid, your key creation should be successful. See example openssl.conf file.

Internet Explorer

During decryption, you are getting an error message:

A script on this page is causing Internet Explorer to run slowly.

This is due to the amount of computation required in the front-end javascript of the Manual Processing module to do decryption in Internet Explorer. IE is polled by Windows periodically to determine if javascript has caused IE to become unresponsive, and the scripts in Manual Processing are intensely computation, causing this threshold to be met. To adjust the threshold in Internet Explorer, see the Microsoft Knowledgebase article 175500.

Backups

We recommend that you backup your files and database regularly. For a complete (commercial) WordPress plugin backup solution, try BackupBuddy – WP backup, restore, migration plugin. We’ve found it to be invaluable for our site.

Reinstallation fails

If you are attempting to install or reinstall a private.pem (private key file) in your browser, the following must be true:

  1. The public key currently stored in your Manual Processing settings matches the private key file you are attempting to install.
  2. The upload of the private.pem file succeeded

If your first attempt to upload the private.pem file is unsuccessful, and you know it is the correct private.pem file, try reloading the Payment Settings page, and attempt again. Intermittent upload problems may occur.

If you have for some reason lost your ManualProcessing setting, and are attempting to install a previously used private.pem file, this is not possible through the Payment Settings. Once the store public key matching the private.pem key file is lost, it can not be easily restored.

Lost private key, unable to decrypt a transaction

If you have no browser with the correct private key installed, and have transactions that are encrypted, the following steps must be taken:

  1. Locate the private key PEM file matching the currently stored public key (This public key must have been the key used to encrypt your transactions for this to succeed.)
  2. In the desired/supported browser, Log into your WordPress Admin with the Administrator user.
  3. In the Admin navigate to Shopp → System → Payments, and click the edit link for the Manual Processing payment module.
  4. Click the Reinstall Key button to open a file dialog window.
  5. Select the correct private.pem file from your backup files, and upload the file.
  6. If this fails, reload the Payment Settings page, and attempt once more.

Starting Fresh

In order to wipe out your ManualProcessing settings, and start over, consult your developer to temporarily (needed to run only once) add the following code to your WordPress theme’s functions.php file:

Warning: Once ManualProcessing settings have been removed, you will be unable to decrypt existing transactions. You must contact your customer to have them attempt their order again after completing ManualProcessing setup again.

add_action('shopp_setup_payments_init','wipe_out_manual_processing_settings');
function wipe_out_manual_processing_settings() {
shopp_rmv_setting('ManualProcessing');
}

Load the Payment Settings page one time, and then remove the above code. This will delete the current public key setting from the module, and allow you to start from scratch.

Alternatively, if you have access to your MySQL database, and can run queries on your database, run the following query:

Warning: Manually deleting records from your MySQL database is extremely dangerous. Only perform this step if you have authority to perform the action, understand what you are doing, have a full backup of your database, and take full responsibility for any negative outcome yourself.

Substitue your shopp_meta table name if your WordPress prefix is not wp_.

DELETE FROM wp_shopp_meta WHERE type='setting' AND name='ManualProcessing' LIMIT 1;

After removing the setting (by either method), you may setup your Manual Processing module from scratch from your WordPress admin under Shopp → System → Payments.

Private Key file did not download

During key generation, after clicking the Generate Keys button, but before your click the Finish button, there should be a private.pem file downloaded by your browser. If this does not happen, view the source code of the page, and locate the line that says dlurl. This will contain in the source code, the URL used to download the private key. Copy and paste this into another browser tab to download the private key file.

If this does not work, paste this url, along with any errors that appear when you attempted to load this url in your browser, into a support ticket on the Help Desk (not in the public forum), and ask them to troubleshoot your site. You may need to provide the administrator username and password to your WordPress admin to proceed.

I’ve lost my settings and only have a private key file

This is difficult and may require a technically skilled individual. Contact your web developer if you need assistance.

If you have no encrypted transactions waiting to be processed the best action would be to follow the steps outlined in Starting Fresh above. Otherwise perform the following carefully:

First, from the command line of a computer that has openssl tools installed, execute the following command:

$ openssl rsa -in private.pem -pubout

This will output something like:

writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFEAcirjAWEDKzv6trK5zS7FFV
Ef1mxP3bCW0vKhLxYTBEKIqsdaAebaRUeG+sT+GLVqM65VkzP2kO6P2zI7jviDCK
/n8nTsYmsXjmEVo7wbAzkwhpvBXuBROZaodTEo0KrFBR95kZqNTg3uMFl2iRAxr4
FMrK5vAi9jNy8ReSvQIDAQAB
-----END PUBLIC KEY-----

Next, on the WordPress site in question, locate your theme under wp-content/themes/ and edit the functions.php file, inserting your own public key as follows (replacing the $public string with your own results from the first step):

add_action('shopp_setup_payments_init','install_shopp_mp_public_key');
function install_shopp_mp_public_key () {
$public = '-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFEAcirjAWEDKzv6trK5zS7FFV
Ef1mxP3bCW0vKhLxYTBEKIqsdaAebaRUeG+sT+GLVqM65VkzP2kO6P2zI7jviDCK
/n8nTsYmsXjmEVo7wbAzkwhpvBXuBROZaodTEo0KrFBR95kZqNTg3uMFl2iRAxr4
FMrK5vAi9jNy8ReSvQIDAQAB
-----END PUBLIC KEY-----';

$setting = array(
'label' => 'Credit Card',
'cards' => array('visa','mc'),
'public_key' => urlencode($public)
);

shopp_set_setting('ManualProcessing',$setting);
}

The above code will insert your public key setting into the database when you log into WordPress as adminstrator, and navigate from the menu to Shopp → System → Payments. After this is successful, (which you can check in the database table, see below), you may remove the code from your theme’s functions.php file.

To check for success, from your MySQL client software, run the following query:

select * from wp_shopp_meta where type='setting' and name='ManualProcessing';

Verify that the contents are essentially correct in the serialized string (the public key should be urlencoded).

Finally, you are ready to reinstall the private key file into your authorized web browser, by logging into WordPress from that browser, proceeding to your Payment Settings, and clicking the edit link, and then Reinstall Key. Upload the private key, and if it fails on the initial attempt, reload the page, and attempt once more.

Contact the Help Desk if you require assistance with this procedure.

Errors

This browser is unsupported for Manual Processing administration. Please use Opera 10.50, Google Chrome 5, Apple Safari 4, Mozilla Firefox 3.6, Internet Explorer 8, or a later version of these browsers.

Explanation
This means that your browser does not have support for localStorage. Upgrade to a more recent browser technology to gain access to this feature.

There was a failure retrieving your private key from the browser, or this transaction was encrypted on a different keypair. Data decryption failed. You may only decrypt secure data from the browser with a proper private key installed. See your Payment Settings to reinstall the correct private key.

Explanation
This means that the current browser you are logged into your WordPress/Shopp admin with does not have the current private key installed to match the stored public key. You should have a private.pem file from the time you originally installed ManualProcessing that matches the stored public key. Use this key file to reinstall the private key into this browser.

Error saving private key into your browser.

Explanation
This means that the browser you are using to install ManualProcessing is having trouble properly installing the private key. Try a different browser.

Invalid private key file.

Explanation
This means that something in your PHP or WordPress hosting environment is interfering with the successful installation of the private key. Try disabling other WordPress plugins and switch to the default theme, and attempt installation again. If the problem persists, contact support.

Invalid private key file or mismatched key.

Explanation
Generally this means that the private key file you are attempting to reinstall (or install in another browser) either does not match the currently stored public key, or has been corrupted (either on your system or during upload to the server on this attempt.) Intermittently, it is possible to experience problems with the upload function. Refresh the Payment Settings admin page, and attempt the reinstallation again. If the problem persists, you may be using the incorrect private.pem file.

  1. Avatar of Barry

    If everything else seems in order but the “Decrypt” button doesn’t work, try bumping up the file permissions level for mp.js, which can be found at:

    shopp/gateways/ManualProcessing/behaviors/mp.js

    May 25th   #

You must be logged in to post a comment.

© Ingenesis Limited. Shopp™ is a registered trademark of Ingenesis Limited.

Skip to toolbar