I'm unclear what the DPAPI is supposed to be used-for, as DPAPI is listed on the link in your first email as "DPAPI is focused on providing data protection for users. Because DPAPI requires a password to provide protection, the logical step is for DPAPI to use a user's logon password, which it does, in a way. DPAPI actually uses the user's logon credential." which suggests that it is not suitable for server-side usage. I wonder, then, if the DPAPI requirement is for the end-user system and not your server?
On 21 October 2015 at 11:14, Roger Munford <[email protected] > wrote: > James, > > This system handles fresh local food home deliveries and one user won the > BBC local food retailer of the year a few years ago. It predates > supermarket home delivery and credit card payments was introduced in 2006. > > One of the features is that orders are taken a day or so before packing > and delivery and with weighing and not availables the final bill is > calculated only after packing. Also most customers are regular and many > have standing orders for delivery without ordering > > Credit card details were typed into a desktop app which sent them off to > the (hopefully) fully secure payment gateway. A token is returned which is > used for future payment(s). This token links the credit card details and > the retailer so that even if the token was used by a criminal, all they > could do was transfer money to the retailers account. The token could > therefore be stored without particular security. > > The upgrade required is to allow customers to enter credit card details on > line. The payment company provide a "hosted payment page" which allows > customers to enter details and the token is returned which can be used as > before. The hosted payment page is called with an "Authentication token" > which is given to the retailer but must be held securely - DPAPI is > recommended. The developers know nothing about Linux so it is an unexpected > hurdle for me. > > Thanks for your suggestion. Looks promising. > > Roger > > > > > On 21/10/15 08:16, James Courtier-Dutton wrote: > > > On 20 Oct 2015 13:26, "Roger Munford" < <[email protected]> > [email protected]> wrote: > > > > I am bringing an old desktop payment system up to date to work with the > payment providers new system and also provide a wrapper for a website which > transfers the user to their hosted payment page. > > > > The website is built on the traditional LAMP server. However the website > requires a security key which " is secret and must never be revealed to > anyone and you must ensure that the key is protected on your server by > appropriate security measures such as DPAPI" > > > > I was looking for a Linux equivalent but there does not seem to be one, > but I assume there must be a technique employed on Linux service to > accomplish the same thing. > > > > The payment service providers are a windows shop and aren't very helpful. > > > > Can anybody point me in the right direction? > > > If you are having to become PCI DSS compliant, then things become far more > difficult to get right. > It is far more that just protecting encryption keys. > Linux does have an api for storing keys securly in the kernel. Google > linux kernel key management. > > In general, PCI DSS looks for separation of data at differing sensitivity > levels. In some cases, dedicated hardware is used to encrypt credit card > numbers. > In other cases, you separate up the data and store it in different places. > Eg. Credit card numbers on one server, and the rest of the data on another, > and then you look to lock down the credit card server to the max and not > run any services on it apart from the credit card access api and no web > browsers. > > Kind regards > > James > > > > > -- > Please post to: [email protected] > Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire > LUG URL: http://www.hantslug.org.uk > -------------------------------------------------------------- > -- Daniel Llewellyn
-- Please post to: [email protected] Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
