There is no automatic way to do this. This is the main reason why PCI-DSS application certification is taking so long from us. We have to create a mechanism to 1) securely manage keys, 2) allow key changes at the click of a button at least once a year.

This involves keeping track of which items are encrypted with which keys and then decrytping them, then encrypting them again with a new key.

BV Commerce Hosted will manage this automatically. BV Commerce Toolkit will get this feature as part of a PCI Compliance update. Don't ask for a date. We just don't know yet.

In order to be PCI compliant, I wrote a program to re-encrypt the credit cards in BVC 5.3.2, but found also that users whose passwords were TripleDESEncrypted were unable to log-in afterwords. However, in the code, I see no relation between WebAppSettings.CryptographyDS3Key and the code used to decrypt passwords.

Is there any reason why changing the credit card encryption key would cause users to be unable to log in?


Also, I recently restored a Win 2008 server running BV5.3.2 onto a new machine. The site operated extremely slowly, particularly, I noticed it was taking 15 seconds to validate the BVlicense twice per page call in UserAccount.[2]DoesUserHaveAllPermissions().[/2]

Is there any reason why moving a server to new hardware would cause a delay in validating the BV License?


Thanks,

Marco