System SettingsTable of Contents Show Credit Card NumbersIn a default setup, AbleCommerce's security settings are typically the most secure. We do, however, give you control over these sensitive matters. If you are not using an automated payment gateway, then you may need to store credit card information to process payments after an order is placed. All credit card data is encrypted before it is saved to the database, but only if you have set the encryption key. Under no circumstance should credit card numbers be collected without an encryption key set. As an additional security measure, the AbleCommerce code will never store the full credit card number or security code. See Encryption Key to set encryption now. The available payment gateways included with AbleCommerce do not require full credit card details once a transaction has been successfully authorized. For enhanced security, you should consider disabling card storage all together. The benefit to this approach is that you gain the security of never recording a customer’s card information. However you should be aware of the following:
Be sure to check the setting for Account Data Lifespan if you do not disable credit card storage. The recommended value is 0, which means as soon as a payment is completed the encrypted account data will be wiped from the database. AbleCommerce will not allow you to retain the card data longer than 30 days after a payment is completed. Secure Socket Layer (SSL)Before accepting live transactions, you will need to make sure that you have an SSL certificate installed. SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after deployment. You will need to have a certificate issued for a domain that is included in your AbleCommerce license. Usually this is the same as the store domain. AbleCommerce does not support any production installation that does not have SSL enabled. Additionally, our application will never display credit card details, even to super users, unless SSL is enabled. In AbleCommerce, SSL is disabled by default. Before you enable SSL in AbleCommerce, make sure you have an SSL certificate installed and working for the domain that is running your AbleCommerce store. There are many companies that sell SSL certificates and provide support for installation. When basic SSL is enabled in AbleCommerce, the secure pages are automatically used by the login forms, customer account and checkout processes, shipping quotes, and payment processors. All back-end administration is also using secure SSL pages. Additionally, you can secure all pages from the Configure > Security > SSL Settings page. Payment Account Data StorageIt is not typically necessary to store payment details when using a live payment processing gateway.
Important: Sensitive account data is encrypted within the database using a secret key. When you deploy AbleCommerce, it does not have a key set. If you are storing credit card data, it is important that you set the encryption key after deployment. Purging of Credit Card DataThe maintenance routine will automatically remove any stored card data that exceeds the number of days to save. Purging is a manual action and should be performed before manually backing up the database. To purge all saved credit card data, press the Purge Now button located to the far right. A confirmation message will appear. File Upload FiltersYou can specify the types of files that are allowed for uploading
through the AbleCommerce merchant administration pages. Images: Specify the types of files that can be uploaded through the Catalog > Image and Asset manager. Themes: Specify the types of files that can be uploaded through the Website > Store Design > Themes page. Digital Files: Specify the types of files that can be uploaded through the Catalog > Digital Goods > Digital Files page. Additional Extensions: For security, the following list of file types below will always be denied by the application for upload. .aspx, .ashx, .asmx, .asp, .exe, .com, .bat, .cmd, .msi, .vb, .vbs, .vbe, .ws, .wsf, .scf, .scr, .pif, .shs, .hta, .jar, .lnk, .msp, .cpl, .msc, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2
|