Kerri Kraft
VeriFone Product Line Marketing Manager
>>>>> This is also an issue with Verifone vPOS, which ships with the
>>>>> Microsoft
>>>>> Site Server, partnered as an evaluation version.
>>>>>
>>>>> Most of these credit card validators have the ability to store items
>>>>> to a
>>>>> logfile, which is often turned on in debugging and testing and never
>>>>> turned
>>>>> off by the administrator...
>>>>>
>>>>> Here are some other interesting things about vPOS and Site Server, for
>>>>> the
>>>>> e-commerce-minded among us:
>>>>>
>>>>> 1. In addition to the debug log mentioned above, the actual Commerce
>>>>> Server
>>>>> store also has the ability to write a very lengthy logfile, called
>>>>> ordinitbf, which can be added into the global.asa of the store, and
>>>>> called
>>>>> using a scriptor component. Again, not very useful unless an
>>>>> administrator
>>>>> turns on logging and never turns it off.
>>>>>
>>>>> Things included in this file include: all shopper info, all address
>>>>> info
>>>>> (billing and shipping), credit card info, including name, exp, and
>>>>> number... you get the idea.
>>>>>
MICROSOFT COMMERCE SERVER IS A PRODUCT DEVELOPED BY MICROSOFT FOR
MERCHANTS WISHING TO ESTABLISH A WEB-BASED STOREFRONT. THE FILE
'ORDINITBF' IS A MICROSOFT FILE AND IS NOT RELATED TO THE FUNCTIONALITY
OF THE THE VERIFONE VPOS PRODUCT. VPOS HAS NO INTERACTION WITH THE
'ORDINIBF' FILE.
>>>>> 2. the vPOS service cannot be started automatically. The encryption
>>>>> string
>>>>> MUST be typed in at start-up. This sequence cannot be automated.
>>>>> Therefore,
>>>>> if a server using vPOS is somehow compromised in the middle of the
>>>>> night,
>>>>> and no administrator is there to restart the service, all transactions
>>>>> will
>>>>> fail until the next time the administrator restarts the service.
>>>>>
REGARDING THE VPOS ENGINE SERVICE, THE SET 1.0 VERSION OF VPOS ENGINE
SERVICE CAN BE STARTED AUTOMATICALLY. HOWEVER, THE ENCRYPTION STRING
MUST BE PROVIDED.
IF THE SERVER USING VPOS IS SOMEHOW COMPROMISED, WHY WOULD YOU WANT TO
RESTART THE ENGINE SERVICE AUTOMATICALLY? WOULDN'T YOU WANT THE SYSTEM
ADMINSTRATOR TO FIRST VERIFY THAT THE SECURITY BREACH DID NOT AFFECT ALL
ASPECTS OF THE NT ENVIRONMENT INCLUDING THE MERCHANT STOREFRONT,
NETWORKING, USERS/PASSWORDS, DATABASES, ETC. BEFORE YOU STARTED YOUR
STOREFRONT SYSTEM UP AUTOMATICALLY? THEY MIGHT HAVE TAMPERED WITH YOUR
STORE PRODUCT DATABASE.
>>>>> 3. In order for vPOS to work with Microsoft Site Server (Commerce
>>>>> Server
>>>>> 2.0), the Commerce Server version 1.0 component wrapper must be used.
>>>>> In
>>>>> order to trick the v1 component wrapper into thinking that Site Server
>>>>> is
>>>>> really Merchant Server 1.0, A LOT of registry entries must be made.
>>>>>
>>>>> Some of these registry entries include the SQL passwords, the NT
>>>>> administrator login passwords, etc. Fun for the whole family, and
>>>>> everything in plaintext.
>>>>>
THIS IS A MICROSOFT SITE SERVER PRODUCT ISSUE THAT YOU SHOULD ADDRESS
WITH MICROSOFT. IT HAS NO RELATION TO THE FUNCTIONALITY OF VPOS.
>>>>> 4. The merchant certificates are stored in the SQL database whose
>>>>> passwords
>>>>> you just typed in plaintext into the registry.
ALL DATA TRANSACTIONS UTILIZING THE SET STANDARD ARE ENCRYPTED.
MERCHANT CERTIFICATES ARE STORED BY VPOS USING AN SQL DATABASE.
CERTIFICATES THEMSELVES ARE NOT TAMERABLE SINCE THEY HAVE BEEN DIGITALLY
SIGNED BY A CERTIFICATE AUTHORITY. VPOS WILL STORE ANY DATA CONSIDERED
SENSITIVE IN AN ENCRYPTED FORM.