System Settings

Table of Contents Show

Credit Card Numbers

In a default setup, AbleCommerce's security settings are typically the most secure.  We do, however, give you control over these sensitive matters.  If you are not using an automated payment gateway, then you may need to store credit card information to process payments after an order is placed.

All credit card data is encrypted before it is saved to the database, but only if you have set the encryption key. Under no circumstance should credit card numbers be collected without an encryption key set. As an additional security measure, the AbleCommerce code will never store the full credit card number or security code.

See Encryption Key to set encryption now.

The available payment gateways included with AbleCommerce do not require full credit card details once a transaction has been successfully authorized. For enhanced security, you should consider disabling card storage all together.  The benefit to this approach is that you gain the security of never recording a customer’s card information. However you should be aware of the following:

  • If the transaction fails to authorize for any reason, you will not be able to use the ”retry” feature from merchant admin as the card data will not be available.

  • You cannot access the card data for offline processing – you must have a payment gateway configured if you disable credit card storage.

Be sure to check the setting for Account Data Lifespan if you do not disable credit card storage. The recommended value is 0, which means as soon as a payment is completed the encrypted account data will be wiped from the database. AbleCommerce will not allow you to retain the card data longer than 30 days after a payment is completed.

Secure Socket Layer (SSL)

Before accepting live transactions, you will need to make sure that you have an SSL certificate installed.  SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after deployment. You will need to have a certificate issued for a domain that is included in your AbleCommerce license. Usually this is the same as the store domain.  

AbleCommerce does not support any production installation that does not have SSL enabled. Additionally, our application will never display credit card details, even to super users, unless SSL is enabled.

In AbleCommerce, SSL is disabled by default.  Before you enable SSL in AbleCommerce, make sure you have an SSL certificate installed and working for the domain that is running your AbleCommerce store.  There are many companies that sell SSL certificates and provide support for installation.

When basic SSL is enabled in AbleCommerce, the secure pages are automatically used by the login forms, customer account and checkout processes, shipping quotes, and payment processors.  All back-end administration is also using secure SSL pages.  Additionally, you can secure all pages from the Configure > Security > SSL Settings page.

Payment Account Data Storage

It is not typically necessary to store payment details when using a live payment processing gateway.

  1. From the menu, go to the Configure > Security > System Settings page.

  2. Find the Credit Card Data Storage section.

  3. If you need to save payment data, then you can check the box next to Enable Payment Data Storage. The encrypt and store sensitive credit card information for the length of time specified.  The information is still securely encrypted within the database.

  4. With the first option enabled, you can select the number of Days to Save the credit card number and associated details.  The default and most secure option is "0".  However, for post-order processing or other reasons, you may want to save the information for a few days.

  5. Click the SAVE SETTINGS button when finished.

Important: Sensitive account data is encrypted within the database using a secret key.  When you deploy AbleCommerce, it does not have a key set.  If you are storing credit card data, it is important that you set the encryption key after deployment.

Purging of Credit Card Data

The maintenance routine will automatically remove any stored card data that exceeds the number of days to save. Purging is a manual action and should be performed before manually backing up the database.

To purge all saved credit card data, press the Purge Now button located to the far right. A confirmation message will appear.

File Upload Filters

You can specify the types of files that are allowed for uploading through the AbleCommerce merchant administration pages.

Images:  Specify the types of files that can be uploaded through the Catalog > Image and Asset manager.

Themes:  Specify the types of files that can be uploaded through the Website > Store Design > Themes page.

Digital Files:  Specify the types of files that can be uploaded through the Catalog > Digital Goods > Digital Files page.

Additional Extensions: For security, the following list of file types below will always be denied by the application for upload.

.aspx, .ashx, .asmx, .asp, .exe, .com, .bat, .cmd, .msi, .vb, .vbs, .vbe, .ws, .wsf, .scf, .scr, .pif, .shs, .hta, .jar, .lnk, .msp, .cpl, .msc, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2