Configure > Security

System Settings

In a default setup, AbleCommerce's security settings are typically the most secure.  We do, however, give you control over these sensitive matters.  If you are not using an automated payment gateway, then you may need to store credit card information to process payments after an order is placed.  

Credit Card Numbers

All credit card data is encrypted before it is saved to the database, if you have set the encryption key.  Credit card numbers will never be saved to the database or under any circumstance.

The available payment gateways included with AbleCommerce do not require full credit card details once a transaction has been successfully authorized. For enhanced security, you should consider disabling card storage all together.  The benefit to this approach is that you gain the security of never recording a customer’s card information. However you should be aware of the following:

  • If the transaction fails to authorize for any reason, you will not be able to use the ”r;retry” feature from merchant admin as the card data will not be available.

  • You cannot access the card data for offline processing – you must have a payment gateway configured if you disable credit card storage.

Be sure to check the setting for Account Data Lifespan if you do not disable credit card storage. The recommended value is 0, which means as soon as a payment is completed the encrypted account data will be wiped from the database. AbleCommerce will not allow you to retain the card data longer than 30 days after a payment is completed.

Secure Socket Layer (SSL)

Before accepting live transactions, you will need to make sure that you have an SSL certificate installed.  SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after deployment. You will need to have a certificate issued for a domain that is included in your AbleCommerce license. Usually this is the same as the store domain.  

AbleCommerce does not support any production installation that does not have SSL enabled. Additionally, our application will never display credit card details, even to super users, unless SSL is enabled.

In AbleCommerce, SSL is disabled by default.  Before you enable SSL in AbleCommerce, make sure you have an SSL certificate installed and working for the domain that is running your AbleCommerce store.  There are many companies that sell SSL certificates and provide support for installation.

When basic SSL is enabled in AbleCommerce, the secure pages are automatically used by the login forms, customer account and checkout processes, shipping quotes, and payment processors.  All backend administration is also using secure SSL pages.  Additionally, you can secure all pages with a setting available in AbleCommerce Gold R11 and later.

Payment Account Data Storage

It is not typically necessary to store payment details when using a live payment processing gateway.

  1. From the top menu, go to the Configure > Security > General page.

  2. In the bottom pane, you will see the Payment Account Data Storage section.

  3. You can select a number of Days to Save the credit card number and associated details.  The default and most secure option is "0".  However, for post order processing or other reasons, you may want to save the information for a few days.

  4. If you have selected to save payment data in the step above, then you can Enable Credit Card Storage to encrypt and store sensitive credit card information for the length of time specified.  The information is still securely encrypted within the database.

  5. Click the SAVE button when finished.

IMPORTANT:

Sensitive account data is encrypted within the database using a secret key.  When you deploy AbleCommerce, it does not have a key set.  If you are storing credit card data it is important that you set the encryption key after deployment.   

 

Confirm your SSL certificate is working

Before enabling SSL in AbleCommerce, make sure that your SSL certificate is installed and working.  It is possible to get locked out of an install if SSL is enabled but not functioning.

  1. Open a browser window using the same domain name that AbleCommerce is installed to.
    e.g. http://www.my-domain.com

  2. Then, in the Address bar, change HTTP to HTTPS.  The "S" tells the browser to use a secure (encrypted) connection.  
    e.g. https://www.my-domain.com

  3. If you can continue to access the page under a secure connection, your SSL is working.  You will also see a locked icon in the bottom-right corner of your browser. (Icon symbols will vary depending on your browser)

NOTE: If you get a message like, "The page cannot be displayed" or "The connection was interrupted", then your SSL certificate is either not installed or improperly configured.  If this happens, ask your System Administrator for assistance before continuing.

Enable SSL in AbleCommerce

  1. From the top menu, go to the Configure > Security > General page.

  2. In the left pane, you will see the Store URL Settings section.

  3. Check the box next to SSL Enabled to turn on basic SSL for your store.  This will enable secure pages for the Merchant Administration, and any other retail side pages that collect or display sensitive information.

  4. Once you have the basic SSL Enabled, you can turn on the Secure All Pages feature which will use a SSL connection for the entire retail side of the store. [New in Gold R11]

  5. (OPTIONAL) If your SSL domain is different from your regular domain, enter it into the SSL Domain field provided.  
    e.g. secure.yoursite.com.  This is not common.

    NOTE    :  You must have an AbleCommerce license key that supports this feature.

  6. Click the SAVE SETTINGS button to continue.

  7. A message will appear telling you to open the SSL link shown before confirming the change.  Click the link as instructed.

  8. If you were able to access the page, then check the box next to "The link above is accessible, save the new SSL settings."  
    If you were not able to access the page, then return to the section above "Confirm your SSL is working".

  9. Click FINISH to save your settings.

Disable SSL in AbleCommerce

In some cases, such as moving an AbleCommerce database, you need to disable the SSL setting if the new website does not have a working SSL certificate.

You can disable the SSL setting in AbleCommerce by un-checking the box next to SSL Enabled in the Secure Sockets Layer (SSL) section of the Configure > Security > General page.

Customizing SSL Settings

In the ..\App_Data\AbleCommerce.config file, you can add additional directories or files within the securePages tag.

<securePages enabled="true" ignoreHandlers="WithStandardExtensions">

    <directories>

      <add path="Admin" recurse="true" />

      <add path="Members" recurse="true" />

      <add path="Checkout" recurse="true" />

      <add path="FCKeditor" recurse="true" state="Ignore" />

    </directories>

    <files>

      <add path="Login.aspx" />

      <add path="Members/MyWishlist.aspx" state="Off" />

      <add path="Members/SendMyWishlist.aspx" state="Off" />

      <add path="Admin/Utility/EditHtml.aspx" state="Ignore" />

    </files>

  </securePages>

File Upload Filters

You can specify the types of files that are allowed for uploading through the AbleCommerce merchant administration pages.

Assets:  Specify the types of files that can be uploaded through the Image and Asset manager.

Themes:  Specify the types of files that can be uploaded through the Website > Themes Manager.

Digital Goods:  Specify the types of files that can be uploaded through the Digital File upload page.

 
Related Topics

Manage > Orders > Payments (Credit Card Transactions)
Process credit card payments and refunds online.

Configure > Security > Encryption Key
Secure your data by changing the encryption key.