I'm unclear what the DPAPI is supposed to be used-for, as DPAPI is listed
on the link in your first email as "DPAPI is focused on providing data
protection for users. Because DPAPI requires a password to provide
protection, the logical step is for DPAPI to use a user's logon password,
which it does, in a way. DPAPI actually uses the user's logon credential."
which suggests that it is not suitable for server-side usage. I wonder,
then, if the DPAPI requirement is for the end-user system and not your
server?
On 21 October 2015 at 11:14, Roger Munford <rogermunford@???
> wrote:
> James,
>
> This system handles fresh local food home deliveries and one user won the
> BBC local food retailer of the year a few years ago. It predates
> supermarket home delivery and credit card payments was introduced in 2006.
>
> One of the features is that orders are taken a day or so before packing
> and delivery and with weighing and not availables the final bill is
> calculated only after packing. Also most customers are regular and many
> have standing orders for delivery without ordering
>
> Credit card details were typed into a desktop app which sent them off to
> the (hopefully) fully secure payment gateway. A token is returned which is
> used for future payment(s). This token links the credit card details and
> the retailer so that even if the token was used by a criminal, all they
> could do was transfer money to the retailers account. The token could
> therefore be stored without particular security.
>
> The upgrade required is to allow customers to enter credit card details on
> line. The payment company provide a "hosted payment page" which allows
> customers to enter details and the token is returned which can be used as
> before. The hosted payment page is called with an "Authentication token"
> which is given to the retailer but must be held securely - DPAPI is
> recommended. The developers know nothing about Linux so it is an unexpected
> hurdle for me.
>
> Thanks for your suggestion. Looks promising.
>
> Roger
>
>
>
>
> On 21/10/15 08:16, James Courtier-Dutton wrote:
>
>
> On 20 Oct 2015 13:26, "Roger Munford" < <rogermunford@???>
> rogermunford@???> wrote:
> >
> > I am bringing an old desktop payment system up to date to work with the
> payment providers new system and also provide a wrapper for a website which
> transfers the user to their hosted payment page.
> >
> > The website is built on the traditional LAMP server. However the website
> requires a security key which " is secret and must never be revealed to
> anyone and you must ensure that the key is protected on your server by
> appropriate security measures such as DPAPI"
> >
> > I was looking for a Linux equivalent but there does not seem to be one,
> but I assume there must be a technique employed on Linux service to
> accomplish the same thing.
> >
> > The payment service providers are a windows shop and aren't very helpful.
> >
> > Can anybody point me in the right direction?
> >
> If you are having to become PCI DSS compliant, then things become far more
> difficult to get right.
> It is far more that just protecting encryption keys.
> Linux does have an api for storing keys securly in the kernel. Google
> linux kernel key management.
>
> In general, PCI DSS looks for separation of data at differing sensitivity
> levels. In some cases, dedicated hardware is used to encrypt credit card
> numbers.
> In other cases, you separate up the data and store it in different places.
> Eg. Credit card numbers on one server, and the rest of the data on another,
> and then you look to lock down the credit card server to the max and not
> run any services on it apart from the credit card access api and no web
> browsers.
>
> Kind regards
>
> James
>
>
>
>
> --
> Please post to: Hampshire@???
> Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire
> LUG URL: http://www.hantslug.org.uk
> --------------------------------------------------------------
>
--
Daniel Llewellyn
--
Please post to: Hampshire@???
Web Interface:
https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL:
http://www.hantslug.org.uk
--------------------------------------------------------------