How to Purge Credit Card Numbers Stored on Magento 1.9.1.0

databasemagento-1.9payment-methodsSecurity

We used the 'Saved CC' payment method in our Magento 1.9.1.0 store and now we would like to delete the credit card numbers for security reasons.

What is the easiest procedure to delete all credit card numbers?

UPDATE ON SEPTEMBER 21st, 2018:

I just tried to do that. I go to phpMyAdmin in the cPanel. There are 2 databases:

mySITE_mySITE

information schema

I highlight either, click on SQL, and enter the following lines (one at a time):

UPDATE sales_flat_order_payment SET cc_number_enc=NULL;
UPDATE sales_flat_order_payment SET cc_type=NULL;
UPDATE sales_flat_order_payment SET cc_last4=NULL;
UPDATE sales_flat_order_payment SET cc_owner=NULL;
UPDATE sales_flat_order_payment SET cc_exp_month=NULL;
UPDATE sales_flat_order_payment SET cc_exp_year=NULL;


UPDATE sales_flat_quote_payment SET cc_number_enc=NULL;
UPDATE sales_flat_quote_payment SET cc_type=NULL;
UPDATE sales_flat_quote_payment SET cc_last4=NULL;
UPDATE sales_flat_quote_payment SET cc_owner=NULL;
UPDATE sales_flat_quote_payment SET cc_exp_month=NULL;
UPDATE sales_flat_quote_payment SET cc_exp_year=NULL;

But then it gives me the following Errors:

Error
SQL query:
UPDATE sales_flat_order_payment SET cc_number_enc=NULL
MySQL said:  
#1146 - Table 'mySITE_mySITER.sales_flat_order_payment' doesn't exist



Error
SQL query:
UPDATE sales_flat_order_payment SET cc_number_enc=NULL
MySQL said:  
#1109 - Unknown table 'sales_flat_order_payment' in information_schema

What am I doing wrong?

Another UPDATE on September 21st:

it turns out that all that I needed to do was to add mg_ in front of the code like this:

UPDATE mg_sales_flat_order_payment SET cc_number_enc=NULL;
UPDATE mg_sales_flat_order_payment SET cc_type=NULL;
UPDATE mg_sales_flat_order_payment SET cc_last4=NULL;
UPDATE mg_sales_flat_order_payment SET cc_owner=NULL;
UPDATE mg_sales_flat_order_payment SET cc_exp_month=NULL;
UPDATE mg_sales_flat_order_payment SET cc_exp_year=NULL;


UPDATE mg_sales_flat_quote_payment SET cc_number_enc=NULL;
UPDATE mg_sales_flat_quote_payment SET cc_type=NULL;
UPDATE mg_sales_flat_quote_payment SET cc_last4=NULL;
UPDATE mg_sales_flat_quote_payment SET cc_owner=NULL;
UPDATE mg_sales_flat_quote_payment SET cc_exp_month=NULL;
UPDATE mg_sales_flat_quote_payment SET cc_exp_year=NULL;

And now it works!

Best Answer

The encrypted credit card numbers are stored in the cc_number_enc column of the sales_flat_order_payment table. With this SQL query you can delete them all:

UPDATE sales_flat_order_payment SET cc_number_enc=NULL;

To delete all credit card data, do the same with the other columns that start with cc_:

cc_type
cc_number_enc
cc_last4
cc_owner
cc_exp_month
cc_exp_year

Related Solutions

Magento – How does magento encrypt credit card numbers

According to Magento:

Strong Data Encryption, Hashing and Key Management Strong data encryption based on AES-256 and strong hashing based on SHA-256. Database keys are easily managed and updated.

From my understanding and some quick glances at code:

Community is mainly Mcrypt and Blowfish (ECB Mode) based, as Don pointed out in the comments.

Enterprise uses a custom class for PCI compliance which uses both Mcrypt and Blowfish as with different cyphers and stronger encryption.

MCRYPT_RIJNDAEL_128,MCRYPT_RIJNDAEL_256,HASH_VERSION_SHA256,etc.

https://en.wikipedia.org/wiki/Blowfish_(cipher)

Both using a combination of MD5, salting and hashes.

You can override the encryption models if you wished to use your own:

 /**
 * @return Mage_Core_Model_Encryption
 */
public function getEncryptor()
{
    if ($this->_encryptor === null) {
        $encryptionModel = (string)Mage::getConfig()->getNode(self::XML_PATH_ENCRYPTION_MODEL);
        if ($encryptionModel) {
            $this->_encryptor = new $encryptionModel;
        } else {
            $this->_encryptor = Mage::getModel('core/encryption');
        }

        $this->_encryptor->setHelper($this);
    }
    return $this->_encryptor;
}

https://github.com/OpenMage/magento-mirror/blob/magento-1.9/app/code/core/Mage/Core/Helper/Data.php#L79

With that said, storing Credit Card data makes you a target and future legal issues possibly.

However I have seen scrapping hacks that are capturing data input before it is encrypted and logging it. So simply not storing them makes you immune either. This is proof that other exploits outside of Magento in its stack should always be considered.

As far as encryption strength, that would be a better question for:

https://crypto.stackexchange.com/

Magento – Automatically Determine Credit Card Type

There's a great post about this on stackoverflow. You can check the answers here: https://stackoverflow.com/questions/72768/how-do-you-detect-credit-card-type-based-on-number.

The two post important excerpts:

Visa: ^4[0-9]{6,}$ Visa card numbers start with a 4.

MasterCard: ^5[1-5][0-9]{5,}$ MasterCard numbers start with the numbers 51 through 55, but this will only detect MasterCard credit cards; there are other cards issued using the MasterCard system that do not fall into this IIN range.

American Express: ^3[47][0-9]{5,}$ American Express card numbers start with 34 or 37.

Diners Club: ^3(?:0[0-5]|[68][0-9])[0-9]{4,}$ Diners Club card numbers begin with 300 through 305, 36 or 38. There are Diners Club cards that begin with 5 and have 16 digits. These are a joint venture between Diners Club and MasterCard, and should be processed like a MasterCard.

Discover: ^6(?:011|5[0-9]{2})[0-9]{3,}$ Discover card numbers begin with 6011 or 65.

JCB: ^(?:2131|1800|35[0-9]{3})[0-9]{3,}$ JCB cards begin with 2131, 1800 or 35.

And a full class actually

class CreditcardType
    {
   public static $creditcardTypes = array(
            array('Name'=>'American Express','cardLength'=>array(15),'cardPrefix'=>array('34', '37'))
            ,array('Name'=>'Maestro','cardLength'=>array(12, 13, 14, 15, 16, 17, 18, 19),'cardPrefix'=>array('5018', '5020', '5038', '6304', '6759', '6761', '6763'))
            ,array('Name'=>'Mastercard','cardLength'=>array(16),'cardPrefix'=>array('51', '52', '53', '54', '55'))
            ,array('Name'=>'Visa','cardLength'=>array(13,16),'cardPrefix'=>array('4'))
            ,array('Name'=>'JCB','cardLength'=>array(16),'cardPrefix'=>array('3528', '3529', '353', '354', '355', '356', '357', '358'))
            ,array('Name'=>'Discover','cardLength'=>array(16),'cardPrefix'=>array('6011', '622126', '622127', '622128', '622129', '62213',
                                        '62214', '62215', '62216', '62217', '62218', '62219',
                                        '6222', '6223', '6224', '6225', '6226', '6227', '6228',
                                        '62290', '62291', '622920', '622921', '622922', '622923',
                                        '622924', '622925', '644', '645', '646', '647', '648',
                                        '649', '65'))
            ,array('Name'=>'Solo','cardLength'=>array(16, 18, 19),'cardPrefix'=>array('6334', '6767'))
            ,array('Name'=>'Unionpay','cardLength'=>array(16, 17, 18, 19),'cardPrefix'=>array('622126', '622127', '622128', '622129', '62213', '62214',
                                        '62215', '62216', '62217', '62218', '62219', '6222', '6223',
                                        '6224', '6225', '6226', '6227', '6228', '62290', '62291',
                                        '622920', '622921', '622922', '622923', '622924', '622925'))
            ,array('Name'=>'Diners Club','cardLength'=>array(14),'cardPrefix'=>array('300', '301', '302', '303', '304', '305', '36'))
            ,array('Name'=>'Diners Club US','cardLength'=>array(16),'cardPrefix'=>array('54', '55'))
            ,array('Name'=>'Diners Club Carte Blanche','cardLength'=>array(14),'cardPrefix'=>array('300','305'))
            ,array('Name'=>'Laser','cardLength'=>array(16, 17, 18, 19),'cardPrefix'=>array('6304', '6706', '6771', '6709'))
    );     
        private function __construct() {}    
        public static function getType($CCNumber)
        {
            $CCNumber= trim($CCNumber);
            $type='Unknown';
            foreach (CreditcardType::$creditcardTypes as $card){
                if (! in_array(strlen($CCNumber),$card['cardLength'])) {
                    continue;
                }
                $prefixes = '/^('.implode('|',$card['cardPrefix']).')/';            
                if(preg_match($prefixes,$CCNumber) == 1 ){
                    $type= $card['Name'];
                    break;
                }
            }
            return $type;
        }
    }

What is the easiest procedure to delete all credit card numbers?

Best Answer

Related Solutions

Magento – How does magento encrypt credit card numbers

Magento – Automatically Determine Credit Card Type

Related Topic