Currently, the client-side encryption works to append new values to the payment form via hidden form fields. This however still passes the unencrypted field values back to Drupal on submit, thereby nullifying PCI compliance. The values should be replaced with encrypted values rather than appended. The attached patch fixes this.

NB an #element_validate has to be employed to remove the encrypted values from $form_state['input'] so that any reload of the form (eg. validation errors) does not render the fields with encrypted values in them (which would then get encrypted again). A downside to this is that on any reload of the form, encrypted fields (credit card number & security code) must be re-entered.

CommentFileSizeAuthor
#9 eway_integration_replace_values-2512532-8.patch4.76 KBpandaski
#5 Screen Shot 2015-08-19 at 7.10.37 pm.png27.38 KBpandaski
#4 Screen Shot 2015-07-10 at 7.42.07 pm.png35.12 KBpandaski
#1 eway_integration_replace_values-2512532-1.patch3.55 KBbgilhome

Comments

bgilhome’s picture

bgilhome commented
StatusFileSize
new eway_integration_replace_values-2512532-1.patch3.55 KB
pandaski’s picture

pandaski commented
Assigned: Unassigned » pandaski
pandaski’s picture

pandaski commented
Status: Needs review » Needs work

Totally agree with PCI compliance issue

Current release supports cardonfile module for token payment, however, it brings painful experience when we applying encrypted fields as other issues.

Maybe we should start thinking an eway token payment sub module or a different approach to support cardonfile module.

Quick thought here:
On another hand, we can remove commerce credit card and security code validation totally, and reply on eWay API to return error message after submit

pandaski’s picture

pandaski commented
StatusFileSize
new Screen Shot 2015-07-10 at 7.42.07 pm.png35.12 KB

We may need a js or PHP to clear field value when validation failed.

Screen shot

pandaski’s picture

pandaski commented
StatusFileSize
new Screen Shot 2015-08-19 at 7.10.37 pm.png27.38 KB
bgilhome’s picture

bgilhome commented

@joseph-zhao thanks for your feedback. The custom element_validate callback eway_integration_commerce_dc_encrypted_element_validate() should be removing the values from $form_state['input'] for any redraw of the form, is it not working?

pandaski’s picture

pandaski commented

@bgilhome I am in a fresh installation, and as my screen shot, values are not removed after validation failed,

This error message is returned after form submitted, so we may need a hook for form redirection after submit?

thanks for quick feedback.

pandaski’s picture

pandaski commented

Got it

line @199 with your patch

      $element['#attributes']['name'] = '';
      $element['#attributes']['value'] = ''; // add this line to empty value
pandaski’s picture

pandaski commented
StatusFileSize
new eway_integration_replace_values-2512532-8.patch4.76 KB

A new patch - let us see if this one is good for testing

pandaski’s picture

pandaski commented
Status: Needs work » Needs review

  • bgilhome authored 3f1e40a on 7.x-1.x 
    Issue #2512532 by Joseph Zhao, bgilhome: Client-side encryption should...
pandaski’s picture

pandaski commented
Status: Needs review » Patch (to be ported)
pandaski’s picture

pandaski commented
Status: Patch (to be ported) » Closed (fixed)